This is a suggestion that will probably take a while to implement, and it might not be feasible at all to realize it, but I figured I might shoot it anyway:
The other day, when I tried to log on to my Google account from a different country than I regularly am in (through an app service that apparently goes through third-party servers), Google blocked that successful login and offered me the choice to allow it, or to check if my account had been hacked.
I must say I quite like the idea. I'm wondering if something like that could be implemented in Virtualmin for login to shell, FTP, Dovecot, Postfix and so on.
Most dictionary attacks we see certainly come from countries/regions other than the one the user is actually in, so it might be an idea to at least inform about logins from unusual IP ranges. I guess Google and others implemented this for a good reason. ;)
Of course the user would need to have a way of allowing logins from other areas, preemptively or after being informed about a block or so.
I think a system like this could help a good deal with mitigating the increasing problem of users' mail/FTP accounts that get hacked through malware on their computers. Please feel free to think about it when your to-do list allows for it! :)