[Dovecot] Logging passwords on auth failure/dealing with botnets

[Michael Smith (DF)]

Hi,

Since upgrading our mail servers to Postfix/Dovecot, we've seen a rather large increase in botnet brute force password attacks.  I guess our old servers were too slow to suit their needs.

Now, when they hit upon a valid user, it's easy to see what passwords they are trying (we've enabled auth_debug_passwords and set auth_verbose_passwords = plain).  We can easily have log monitors pick up the blatant password attempts (123, 1234, 12345, 3.1415926, etc) and firewall them.
Aug 22 00:21:47 host1 dovecot: auth-worker(1423): sql(aea,120.198.9.221): Password mismatch (given password: 3.1415926)

However, when they are plugging away on an invalid user, all the logs show is 'unknown user'.  The only way to see what they are doing is to tcpdump on the box.  Almost 99% of the attacks are through SMTP/SASL attempts, using 'auth login'. Postfix is configured to use Dovecot for the authentication backend.  NOTE: parens contain the base64 decoded values, this is not part of the data stream.
C: auth login
S: 334 VXNlcm5hbWU6  (334 Username:)
C: YWVi  (aeb)
S: 334 UGFzc3dvcmQ6  (334 Password:)
C: My4xNDE1OTI2  (3.1415926)
S: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6  (535 5.7.8 Error: authentication failed: Password:)

Aug 22 11:00:31 host3 dovecot: auth-worker(19844): sql(aeb,120.198.9.221): unknown user

How difficult would it be to add logging the given password, observing the auth_debug_passwords and auth_verbose_passwords settings, for all authentication failures?  When we see certain patterns, we want to aggressively block those IPs, regardless of if it's a valid username or an unknown user.

Or another option, is there any good DNS based RBLs for botnet IPs, and is there any way to tie that in to the dovecot auth system?  I've been looking for botnet rbls, but what I've found so far doesn't seem to work very well.  Most of the IPs that I've had to firewall don't exist in them.

--
Michael Smith