Hey; While not a direct answer, I think I have the direction in which you want to go. I've been reading the online manual (http://www.ossec.net/doc/) which has a section on cdb list lookups from within rules (http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html). Cdb is 'constant database'; effectively a standalone perl hash, if you're familiar with perl.
So, in english, what you want is a rule that will block IPs that are attempting access to the dovecot port with a user that is not in the list of valid users. That is an excellent idea. If you get the entire process worked out, let me know as I would like to do the same exact thing. Unfortunately, no time to work on it at the moment. My understanding (which is probably inaccurate in some places) * ossec.conf needs a line in the rules section similar to: <list>rules/users</list> * You make a text file called rules/users formatted as: ${valid_user1}: 1 ${valid_user2}: 1 ${valid_user3}: 1 ... * You then run ossec-makelists * Assuming all that works, you then create a rule with a line that looks something like: <list field="program_name" lookup="not_match_key">rules/users</list> then use the active response if that rule triggers... There's a *bunch* in there that needs work. I'm very new to ossec myself but that seems like it'd be the right way to go. And, if not, someone more experienced will pipe up, call me all sorts of names, and tell us both the right way to do it :) Hope that helps. Doug O'Leary