keep track of login attempts, both successful and failures

and show them in the account and admin interfaces. this should help with
debugging, to find misconfigured clients, and potentially find attackers trying
to login.

we include details like login name, account name, protocol, authentication
mechanism, ip addresses, tls connection properties, user-agent. and of course
the result.

we group entries by their details. repeat connections don't cause new records
in the database, they just increase the count on the existing record.

we keep data for at most 30 days. and we keep at most 10k entries per account.
to prevent unbounded growth. for successful login attempts, we store them all
for 30d. if a bad user causes so many entries this becomes a problem, it will
be time to talk to the user...

there is no pagination/searching yet in the admin/account interfaces. so the
list may be long. we only show the 10 most recent login attempts by default.
the rest is only shown on a separate page.

there is no way yet to disable this. may come later, either as global setting
or per account.

webadmin/api.json

@@ -2110,6 +2110,33 @@
 					]
 				}
 			]
+		},
+		{
+			"Name": "LoginAttempts",
+			"Docs": "",
+			"Params": [
+				{
+					"Name": "accountName",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "limit",
+					"Typewords": [
+						"int32"
+					]
+				}
+			],
+			"Returns": [
+				{
+					"Name": "r0",
+					"Typewords": [
+						"[]",
+						"LoginAttempt"
+					]
+				}
+			]
 		}
 	],
 	"Sections": [],
@@ -7395,6 +7422,111 @@
 					]
 				}
 			]
+		},
+		{
+			"Name": "LoginAttempt",
+			"Docs": "LoginAttempt is a successful or failed login attempt, stored for auditing\npurposes.\n\nAt most 10000 failed attempts are stored per account, to prevent unbounded\ngrowth of the database by third parties.",
+			"Fields": [
+				{
+					"Name": "Key",
+					"Docs": "Hash of all fields after \"Count\" below. We store a single entry per key, updating its Last and Count fields.",
+					"Typewords": [
+						"[]",
+						"uint8"
+					]
+				},
+				{
+					"Name": "Last",
+					"Docs": "Last has an index for efficient removal of entries after 30 days.",
+					"Typewords": [
+						"timestamp"
+					]
+				},
+				{
+					"Name": "First",
+					"Docs": "",
+					"Typewords": [
+						"timestamp"
+					]
+				},
+				{
+					"Name": "Count",
+					"Docs": "Number of login attempts for the combination of fields below.",
+					"Typewords": [
+						"int64"
+					]
+				},
+				{
+					"Name": "AccountName",
+					"Docs": "Admin logins use \"(admin)\". If no account is known, \"-\" is used. AccountName has an index for efficiently removing failed login attempts at the end of the list when there are too many, and for efficiently removing all records for an account.",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "LoginAddress",
+					"Docs": "Empty for attempts to login in as admin.",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "RemoteIP",
+					"Docs": "",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "LocalIP",
+					"Docs": "",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "TLS",
+					"Docs": "Empty if no TLS, otherwise contains version, algorithm, properties, etc.",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "TLSPubKeyFingerprint",
+					"Docs": "",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "Protocol",
+					"Docs": "\"submission\", \"imap\", \"webmail\", \"webaccount\", \"webadmin\"",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "UserAgent",
+					"Docs": "From HTTP header, or IMAP ID command.",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "AuthMech",
+					"Docs": "\"plain\", \"login\", \"cram-md5\", \"scram-sha-256-plus\", \"(unrecognized)\", etc",
+					"Typewords": [
+						"string"
+					]
+				},
+				{
+					"Name": "Result",
+					"Docs": "",
+					"Typewords": [
+						"AuthResult"
+					]
+				}
+			]
 		}
 	],
 	"Ints": [],
@@ -7481,6 +7613,57 @@
 			"Name": "IP",
 			"Docs": "An IP is a single IP address, a slice of bytes.\nFunctions in this package accept either 4-byte (IPv4)\nor 16-byte (IPv6) slices as input.\n\nNote that in this documentation, referring to an\nIP address as an IPv4 address or an IPv6 address\nis a semantic property of the address, not just the\nlength of the byte slice: a 16-byte slice can still\nbe an IPv4 address.",
 			"Values": []
+		},
+		{
+			"Name": "AuthResult",
+			"Docs": "AuthResult is the result of a login attempt.",
+			"Values": [
+				{
+					"Name": "AuthSuccess",
+					"Value": "ok",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthBadUser",
+					"Value": "baduser",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthBadPassword",
+					"Value": "badpassword",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthBadCredentials",
+					"Value": "badcreds",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthBadChannelBinding",
+					"Value": "badchanbind",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthBadProtocol",
+					"Value": "badprotocol",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthLoginDisabled",
+					"Value": "logindisabled",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthError",
+					"Value": "error",
+					"Docs": ""
+				},
+				{
+					"Name": "AuthAborted",
+					"Value": "aborted",
+					"Docs": ""
+				}
+			]
 		}
 	],
 	"SherpaVersion": 0,