On January 25, 2017 at 12:24 AM Joseph Tam <jtam.home@gmail.com> wrote:

On 24.01.2017 00:06, rej ex wrote:

...

Because we are building some monitoring application, we will need to record all failed and successful login attempts. We need to record remote IP, entered password in plain text, and if possible whether auth request is for SMTP or IMAP session.

SMTP? Wouldn't that be handled by your MTA, not Dovecot?

AKi Tuomi wrote:

...

Since 2.2.27 we've had auth policy server support which can do this properly.

As I read the docs, the auth policy server would only get the hashed password, and wouldn't be able to record the plaintext password.

Maybe use the checkpassword hook?

http://wiki.dovecot.org/AuthDatabase/CheckPassword

Joseph Tam <jtam.home@gmail.com>

So it would seem if you don't read it carefully.

auth_policy_request_attributes: Request attributes specification (see attributes section below) Default: auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}

I invite you to consider what would happen if you were to replace %{hashed_password} with %{password}?

Aki