logging failed auth attempts

Dan White dwhite at olp.net
Tue Dec 7 10:22:40 EST 2010


On 07/12/10 11:43 +0200, Tom Kinghorn wrote:
> Good morning.
>
>Firstly, please forgive me for posting here.
>I am new to Cyrus and have tried google, with no luck.
>
>I have inherited a SLES 11 server with postix & amavisd-new.
>
>The logs are full of LOGIN failures but it does not show the username 
>which failed.
>
>postfix/smtpd[11881]: warning: unknown[41.145.221.103]: SASL LOGIN 
>authentication failed: authentication failure
>
>Is it possible to do this?
>
>I would like to see the failed username in order to act on accounts 
>which have been compromised.

What does your /etc/postfix/sasl/smtpd.conf SASL config look like?

If you're using saslauthd (pwcheck_method: saslauthd), you should see
failed PAM authentication attempts in the log file you're capturing syslog
auth.* to, or you could try running saslauthd in debug mode.

Otherwise (pwcheck_method: auxprop), I'm not aware of a way to log the
username of a failed authentication attempt in your logs. You may see them
in a pcap trace, since LOGIN is a plaintext authentication mechanism, with
something like:

tcpdump -n -s0 -w/tmp/capture.pcap host 41.145.221.103 and port 25

-- 
Dan White


More information about the Cyrus-sasl mailing list