[Dovecot] catching authentication failures with LDAP backend

6 Dec 2008

      Hi,
we have recently been hit by a couple of brute force password attacks
against dovecot. So what I want to do now is to add dovecot to fail2ban
in order to block further attacks.
However, I don't seem to be able to find out password verifification
failures for our LDAP based user data.
The only thing I see are loads of lines like these in the logfiles:
-------CUT-------
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<ludovic>,
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luna>,
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
dovecot: Nov 30 09:09:51 Info: pop3-login: Disconnected: user=<luke>,
method=PLAIN, rip=217.147.235.52, lip=81.16.98.99
-------CUT-------
Googling the web I found that PAM based authentication obviously gives a
matchable error message, but for some reasons the ldap backend does not

or does it?

Any pointers highly appreciated :-)
dovecot -n says this:
-------CUT-------
# 1.0.15: /etc/dovecot/dovecot.conf
log_path: /var/log/dovecot.log
protocols: imaps imap pop3
listen: 81.16.98.99
ssl_listen(default): 81.16.98.99
ssl_listen(imap): 81.16.98.99
ssl_listen(pop3):
ssl_cert_file: /etc/bestsolution/ssl/mail.bestsolution.at-cert.pem
ssl_key_file: /etc/bestsolution/ssl/mail.bestsolution.at-key.pem
ssl_parameters_regenerate: 24
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
first_valid_uid: 9
mail_access_groups: mail
mail_privileged_group: mail
default_mail_env: mbox:~/mail/:INBOX=/var/mail/%u
mail_location: mbox:~/mail/:INBOX=/var/mail/%u
mmap_disable: yes
lock_method: dotlock
maildir_copy_with_hardlinks: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %v.%u
auth default:
mechanisms: plain digest-md5 cram-md5 login
passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
-------CUT-------
--
Udo Rader, CTO
http://www.bestsolution.at