auth_debug and auth_verbose_passwords does not seem to work anymore

lleo19

I migrated to and have been using mailcow for more than a year now successfully. Thanks to all the developers for their time and effort to deliver such a great product.
As I am the only user of this instance, without much consideration, I have turned on and recorded passwords from failed logins in plain text in dovecot logs for monitoring hacker efforts.
I believe since the changes introduced in the March update, the settings “auth_debug=yes” and “auth_verbose_passwords=yes” added to the extra.conf file does not seem to work anymore, and nothing appears in the dovecot logs.
The mailbox identity provider is still mailcow.
Can anyone more closely familiar with mailcow please comment on how to achieve this functionality?
thanks, LLeo19

ETNyx

This is more of Dovecot than Mailcow,… but if I recollect it correctly at start of this year some changes in logging was made and log_debug directive is what you need to change instead of auth_debug now, please inspect release notes of Dovecot for more details,…

lleo19

thanks for your reply.
agree with you that the settings I mentioned are for dovecot, so any password request that hits dovecot should produce an entry…

In the meantime I troubleshooted this a bit more and realized that the settings work, noticeably for example after a fresh start, i.e. docket compose down / up -d

After a restart, as devices/clients reconnect to their service, log entries are produced. After that I think dovecot caching takes over and no further entries are created.
As far as brute-force efforts go from hackers: I get entries for incorrect login attempts when a correct mailbox username/email is used.
Nothing seems to be recorded in the dovecot logs if an incorrect username is used, such as one with no domain, or email that is only exists as an alias.
I am guessing that this is by design and not due to an error or configuration.

I browsed a bit github commits since about January but could not readily identify anything which deals with logging or log_debug

ETNyx

Jan 24, for v2.4.0 have this notice: auth_debug, mail_debug: Use log_debug filter instead. That said, not sure what version MC is using,…

EDIT: see this and this

DerLinkman

ETNyx 2.4.0 is not used as of yet. At earliest end of 2025 as it will break all existing configs 🙂 And that is no joke.

lleo19

dovecot included in mailcow is still version 2.3
specifically 2.3.21.1 in the latest, May release.

ivarh

I have added the following 2 lines to data/conf/dovecot/extra.conf:
auth_verbose = yes
auth_verbose_passwords = yes

it causing the following types of messages to be logged in the dovecot container logs:
dovecot: auth-worker(148530): conn unix:auth-worker (pid=141,uid=401): auth-worker<7>: lua(naseastwoodpiv@xxxxxxxxxx.org,102.23.254.237): Password mismatch (given password: Naseastwoodpiv123!)

This is on v2025-05
/var

ETNyx

Yes, know those moments of releasing big updates contains breaking changes, already did upgrade several Dovecots, few hiccups occurs, but I can’t compere to scale of MC.

@lleo19 I guess what @ivarh did you tried at first place, right? I would try to dump your config using doveconf to see if your changes are in place.