dovecot - Mar 2022 - log failed plaintext password for specific user only

> On 23/03/2022 11:47 mj <lists at merit.unu.edu> wrote:
> 
>  
> Hi,
> 
> We are logging failed authentication attempts, with the attempted 
> password as auth_verbose_passwords=sha1
> 
> The question: is it possible to configure auth_verbose_passwords=plain 
> for a specific user only? Turning it on globally would be too much 
> sensitive information for the purpose.
> 
> Reason:
> 
> We are currently observing a high number of failed authentications for a 
> specific user, coming from *many* diffirent IPs across the globe, with 
> most IPs only trying once or twice, making this difficult to block. The 
> number of failed authentications cause this account to regularly become 
> blocked in AD.
> 
> We would like to know if they are trying older actual passwords from the 
> user, or if it's just dictionary attack.
> 
> Thanks!
Well, is the sha1 value same every time? If it is, then they are trying same
password each time.

Aki

Op 23-03-2022 om 11:11 schreef Aki Tuomi:
> 
> Well, is the sha1 value same every time? If it is, then they are trying
same password each time.
> 
> Aki
Yes, understood. :-)

The SHA1 changes, but each SHA1 is tried multiple times.

The question is: can we find out, just for this specific user, WHAT the 
attempted passwords are?