Topic: Track failed username and password for postfix smtp and dovecot
==== Required information ====
- iRedMail 0.9.6
- Linux/ Debian
- Store mail accounts in MySQL
- Web server Apache
- Manage mail accounts with iRedAdmin-Pro? no
====
I would like to see the failed attempts username and password combination on my iredmail server.
Ideally it would be in a log or automated email that is less cluttered than a debug=5 log file as I would like to make this a permanent solution.
My fail2ban is working fine. I do get notified. I have it strict enough that a casual user is not going to get in. But I am getting enough hits that something seems bigger. A botnet? A nation state out for fun? I don't know and that is the problem. I can't realistically ban the entire planet.
So the reason for requesting this is to see if the failed attempts are getting close to a real password and who they are attacking. This way I would only need to alert the 1 or 2 users being picked on rather than everyone getting the message to change their email password just in case.
It would also be a nice idea if every user that gets a failed login attempt is sent an email informing them of the failure and the password used. Then the user can be self actualized.
What do you think? Good Idea? Bad Idea? Too hard? RTFM?
Any guidance on how to do this would be appreciated. My initial web search has yielded little help.
Thanks
Steve
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.