I use a script that watches log files looking for failed ssh login attempts and adds firewall rules when there are enough login failures within a certain amount of time. I would like to apply this to Dovecot to automatically firewall attackers trying to brute-force an IMAP account. Is there a way to make Dovecot log authentication failures (I'm running 1.0.rc10)? In other words, can I configure Dovecot to put something in the log the instant "NO Authentication failed" is sent to the IMAP user?
With "auth_verbose = yes" I can see individual authentication mechanisms fail, but I have multiple passdb sections so a failure in one mechanism doesn't mean a complete login failure. Thus, configuring the script to watch for individual mechanism failures may result in the firewalling of legitimate users.
Thanks for any info!