logging successful smtp auth?
Amir 'CG' Caspi
cepheid at 3phase.com
Sun Aug 26 15:12:40 EDT 2012
Sorry for the multiple sends, as I mentioned, I wasn't sure if the
originals got through... apologies for the duplicates!
To update:
One thing I just realized is that the error messages are from
sm-scanner, not sm-acceptingconnections... not sure if that means
anything or not, except that sm-scanner doesn't log the connecting
IP, it just seems to log the relay IP.
For users who use TLS, I can see their authentications in
/var/log/maillog, but users who authenticate without TLS don't show
up there as far as I can tell.
So, basically, I'm trying to find out if there's a way to get
sendmail or SASL to log the sending (authenticated) user, not just
the recipient.
Thanks.
--- Amir
At 12:04 PM -0600 08/26/2012, Amir 'CG' Caspi wrote:
>Hi,
>
> Is there any way for me to see who has performed a
>_successful_ SMTP auth with saslauthd?
>
> I'm running CentOS 5.8, using sendmail and saslauthd for SMTP
>auth. Auth is required for any sending of outside mail... while
>looking at my SMTP logs, it appears that a user account may have been
>compromised, as I see entries that look like the following:
>
>Aug 26 13:41:58 kismet sm-scanner[12936]: q7NJUPhL023672: to=<xxx>,
>delay=2+22:11:32, xdelay=00:00:01, mailer=esmtp, pri=25320000,
>relay=xxx. [xxx], dsn=4.1.1, stat=Deferred: 450 4.1.1 <xxx>:
>Recipient address rejected: unverified address: unknown user: "xxx"
>
>I don't have any open relaying enabled, SMTP AUTH is required, so
>this suggests that a user account has been compromised.
>
> However... I can't figure out how to check WHICH user
>account! /var/log/secure contains error messages when a user FAILS
>to authenticate... but there are no log messages for success.
> So, I can't figure out which user is the one performing
>successful auth prior to these clear spam attempts.
>
>Any help would be greatly appreciated... and ASAP since I want to
>terminate these spam issues immediately.
>
>Thanks!!
> --- Amir
More information about the Cyrus-sasl
mailing list