Dovecot multiple passdb and fail2ban

[Joaquin F via dovecot]

Objective: different password for remote and local imap login

Version: 2.2.36 (1f10bfa63) on CentOS 7
Users are from Active Directory, mapped to local users via sssd

After much experimentation, I have configured this way:
doveconf -n passdb userdb
passdb {
 args = username_format=%Ln /etc/dovecot/remote
 driver = passwd-file
 skip = authenticated
 username_filter = user01 user02
   }
   passdb {
 driver = pam
 override_fields = allow_nets=127.0.0.0/8,192.168.1.0/24
 skip = authenticated
   }
   userdb {
 driver = passwd
   }

If I put the passdb's in the reverse order, I would get failure
messages (when logging in remotely) in /var/log/secure, such as:
   auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0
euid=0 tty=dovecot ruser=user02 rhost=xx.xx.xx.xx user=user02
Which caused fail2ban to ban that ip

/etc/fail2ban/jail.local
   [dovecot]
   enabled = true
   port = imap,imaps

If I set "auth_verbose = yes", then I can see messages in (when
logging in locally) in /var/log/maillog
   dovecot: auth: passwd-file(user02,192.168.1.20,):
Password mismatch
which is probably not a big deal... but seems inefficient?

Question: is there a more elegant way to use different passdb depending on ip?

Thanks in advance.

doveadm - mailbox to filesystem directory?

[Joaquin F via dovecot]

Is it possible to get the filesystem location (directory name) for a
given mailbox?
The closest I found was parsing the output of "doveadm -D mailbox
create", but this only works if the mailbox doesn't exist yet and
prone to failure if the debug output changes in future versions.
Using "doveadm mailbox mutf7" helps, but there's some ASCII characters
which are encoded. So far I've found "\" turns in to "\5c", "." into
"\2e" and "/" to "\2f" and the separator to ".". But maybe there are
others.

Thanks in advance.

Version: dovecot 2.2.36 (1f10bfa63)
Relevant config:
 mail_location = maildir:~/Maildir
 protocols = imap
 namespace inbox {
   separator = "$"
 }