logging successful smtp auth?

Dan White dwhite at olp.net
Sun Aug 26 23:17:57 EDT 2012


On 08/26/12 13:12 -0600, Amir 'CG' Caspi wrote:
>Sorry for the multiple sends, as I mentioned, I wasn't sure if the 
>originals got through... apologies for the duplicates!
>
>To update:
>
>	One thing I just realized is that the error messages are from 
>sm-scanner, not sm-acceptingconnections... not sure if that means 
>anything or not, except that sm-scanner doesn't log the connecting 
>IP, it just seems to log the relay IP.
>	For users who use TLS, I can see their authentications in 
>/var/log/maillog, but users who authenticate without TLS don't show 
>up there as far as I can tell.
>	So, basically, I'm trying to find out if there's a way to get 
>sendmail or SASL to log the sending (authenticated) user, not just 
>the recipient.

You can increase libsasl2 logging with with:

log_level: <0-7>

in your Sendmail smtpd.conf sasl config, which should log authentication
information to syslog (auth facility).

However, that logging information will not contain IP information. Consult
Sendmail's documentation for how to do so.

Postfix logs this information by default, e.g.:

Aug 26 06:26:04 pinky postfix/smtpd[8316]: 83F0E292E16:
client=w.x.y.z[192.0.2.42], sasl_method=LOGIN,
sasl_username=jsmith at example.org

and can also log the username in a header within the email via the
smtpd_sasl_authenticated_header, which helps if you're processing returned
abuse emails.

>At 12:04 PM -0600 08/26/2012, Amir 'CG' Caspi wrote:
>>Hi,
>>
>>	Is there any way for me to see who has performed a
>>_successful_ SMTP auth with saslauthd?
>>
>>	I'm running CentOS 5.8, using sendmail and saslauthd for SMTP
>>auth.  Auth is required for any sending of outside mail... while
>>looking at my SMTP logs, it appears that a user account may have been
>>compromised, as I see entries that look like the following:
>>
>>Aug 26 13:41:58 kismet sm-scanner[12936]: q7NJUPhL023672: to=<xxx>,
>>delay=2+22:11:32, xdelay=00:00:01, mailer=esmtp, pri=25320000,
>>relay=xxx. [xxx], dsn=4.1.1, stat=Deferred: 450 4.1.1 <xxx>:
>>Recipient address rejected: unverified address: unknown user: "xxx"
>>
>>I don't have any open relaying enabled, SMTP AUTH is required, so
>>this suggests that a user account has been compromised.
>>
>>	However... I can't figure out how to check WHICH user
>>account!  /var/log/secure contains error messages when a user FAILS
>>to authenticate... but there are no log messages for success.
>>	So, I can't figure out which user is the one performing
>>successful auth prior to these clear spam attempts.
>>
>>Any help would be greatly appreciated... and ASAP since I want to
>>terminate these spam issues immediately.
>>
>>Thanks!!
>>						--- Amir
>

-- 
Dan White


More information about the Cyrus-sasl mailing list