logging successful smtp auth?

[Amir 'CG' Caspi]

Sorry for the multiple sends, as I mentioned, I wasn't sure if the 
originals got through... apologies for the duplicates!

To update:

	One thing I just realized is that the error messages are from 
sm-scanner, not sm-acceptingconnections... not sure if that means 
anything or not, except that sm-scanner doesn't log the connecting 
IP, it just seems to log the relay IP.
	For users who use TLS, I can see their authentications in 
/var/log/maillog, but users who authenticate without TLS don't show 
up there as far as I can tell.
	So, basically, I'm trying to find out if there's a way to get 
sendmail or SASL to log the sending (authenticated) user, not just 
the recipient.

Thanks.
						--- Amir

At 12:04 PM -0600 08/26/2012, Amir 'CG' Caspi wrote:
>Hi,
>
>	Is there any way for me to see who has performed a
>_successful_ SMTP auth with saslauthd?
>
>	I'm running CentOS 5.8, using sendmail and saslauthd for SMTP
>auth.  Auth is required for any sending of outside mail... while
>looking at my SMTP logs, it appears that a user account may have been
>compromised, as I see entries that look like the following:
>
>Aug 26 13:41:58 kismet sm-scanner[12936]: q7NJUPhL023672: to=<xxx>,
>delay=2+22:11:32, xdelay=00:00:01, mailer=esmtp, pri=25320000,
>relay=xxx. [xxx], dsn=4.1.1, stat=Deferred: 450 4.1.1 <xxx>:
>Recipient address rejected: unverified address: unknown user: "xxx"
>
>I don't have any open relaying enabled, SMTP AUTH is required, so
>this suggests that a user account has been compromised.
>
>	However... I can't figure out how to check WHICH user
>account!  /var/log/secure contains error messages when a user FAILS
>to authenticate... but there are no log messages for success.
>	So, I can't figure out which user is the one performing
>successful auth prior to these clear spam attempts.
>
>Any help would be greatly appreciated... and ASAP since I want to
>terminate these spam issues immediately.
>
>Thanks!!
>						--- Amir