Log authentication attempts
Aki Tuomi
aki.tuomi at dovecot.fi
Wed Jan 25 05:17:09 UTC 2017
> On January 25, 2017 at 12:24 AM Joseph Tam <jtam.home at gmail.com> wrote:
>
>
> On 24.01.2017 00:06, rej ex wrote:
>
> > Because we are building some monitoring application, we will need to
> > record all failed and successful login attempts. We need to record
> > remote IP, entered password in plain text, and if possible whether auth
> > request is for SMTP or IMAP session.
>
> SMTP? Wouldn't that be handled by your MTA, not Dovecot?
>
> AKi Tuomi wrote:
>
> > Since 2.2.27 we've had auth policy server support which can do this
> > properly.
>
> As I read the docs, the auth policy server would only get the hashed password, and
> wouldn't be able to record the plaintext password.
>
> Maybe use the checkpassword hook?
>
> http://wiki.dovecot.org/AuthDatabase/CheckPassword
>
> Joseph Tam <jtam.home at gmail.com>
So it would seem if you don't read it carefully.
auth_policy_request_attributes: Request attributes specification (see attributes section below)
Default: auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}
I invite you to consider what would happen if you were to replace %{hashed_password} with %{password}?
Aki
More information about the dovecot
mailing list