Saslauthd & reporting connecting IP

John Straiton jsmailing at
Thu Apr 17 10:22:33 EDT 2003

> > 	I have what seems like a simple problem I'm just not seeing the 
> > answer to. I use cyrus w/ saslauthd & pam. I get a lot of syslog 
> > messages like: (USERNAME used to protect the mostly-innocent)
> >
> > Apr 16 17:20:51 mx2 saslauthd[93602]: AUTHFAIL: user=USERNAME 
> > service=pop realm= [PAM auth error]
> >
> > What I'd like to know is where the source of this attempt was from. 
> > What IP address? It's not been a problem as of yet, but it 
> might take 
> > us longer than I'd like to determine the nature of a brute force 
> > attack (or
> > like) with this information not readily accessable. Idealy, I'd like
> > that address in this syslog line, but if there's another means to an
> > end, that'll work too.
> >
> Check the logs for your pop service.
Sometimes it just doesn't pay to be watching a filtered version of your
syslog. Because I have like 100 rules setup in syslog-ng, I wasn't
seeing the messages coming from cyrus about "badlogin:" which is what we
really should be tracking because the facility those come in on was
filtered from my display (logged, but not on my scrolling window in my X
terminal). I was only seeing the saslauthd ones and thinking "well this
is do you know who it is..."

Thanks a lot. I knew it was something silly I was doing.

John Straiton
jks at
Clickcom, Inc

More information about the Info-cyrus mailing list