Objective: different password for remote and local imap login

Version: 2.2.36 (1f10bfa63) on CentOS 7 Users are from Active Directory, mapped to local users via sssd

After much experimentation, I have configured this way: doveconf -n passdb userdb passdb { args = username_format=%Ln /etc/dovecot/remote driver = passwd-file skip = authenticated username_filter = user01 user02 } passdb { driver = pam override_fields = allow_nets=127.0.0.0/8,192.168.1.0/24 skip = authenticated } userdb { driver = passwd }

If I put the passdb's in the reverse order, I would get failure messages (when logging in remotely) in /var/log/secure, such as: auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user02 rhost=xx.xx.xx.xx user=user02 Which caused fail2ban to ban that ip

/etc/fail2ban/jail.local [dovecot] enabled = true port = imap,imaps

If I set "auth_verbose = yes", then I can see messages in (when logging in locally) in /var/log/maillog dovecot: auth: passwd-file(user02,192.168.1.20,): Password mismatch which is probably not a big deal... but seems inefficient?

Question: is there a more elegant way to use different passdb depending on ip?

Thanks in advance.