logging failed auth attempts
Dan White
dwhite at olp.net
Tue Dec 7 10:22:40 EST 2010
On 07/12/10 11:43 +0200, Tom Kinghorn wrote:
> Good morning.
>
>Firstly, please forgive me for posting here.
>I am new to Cyrus and have tried google, with no luck.
>
>I have inherited a SLES 11 server with postix & amavisd-new.
>
>The logs are full of LOGIN failures but it does not show the username
>which failed.
>
>postfix/smtpd[11881]: warning: unknown[41.145.221.103]: SASL LOGIN
>authentication failed: authentication failure
>
>Is it possible to do this?
>
>I would like to see the failed username in order to act on accounts
>which have been compromised.
What does your /etc/postfix/sasl/smtpd.conf SASL config look like?
If you're using saslauthd (pwcheck_method: saslauthd), you should see
failed PAM authentication attempts in the log file you're capturing syslog
auth.* to, or you could try running saslauthd in debug mode.
Otherwise (pwcheck_method: auxprop), I'm not aware of a way to log the
username of a failed authentication attempt in your logs. You may see them
in a pcap trace, since LOGIN is a plaintext authentication mechanism, with
something like:
tcpdump -n -s0 -w/tmp/capture.pcap host 41.145.221.103 and port 25
--
Dan White
More information about the Cyrus-sasl
mailing list