[Dovecot] Logging IP address for failed login
Joseph Tam
jtam.home at gmail.com
Wed Oct 3 01:42:23 EEST 2012
Scott Neville <dovecot-in at keystealth.org> writes:
> I am trying to use the logs to show the IP that brute force activity
> comes from, but Im not succeeding. I have read the archives and seen
> the advice others have had. I can see logs for repeated bad logins,
> but I need the IP address from the attempts.
>
> ...
> but only for successful logins. The brute force attempts dont log like that:
>
> Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user
This was similar to another complaint several months ago. I conjectured
that these attempts are SMTP AUTH, not IMAP, brute forcing. Are you
using the dovecot's SASL feature to authenticate outgoing Email (i.e. via
Postfix?). Maybe you verify this hypothesis by checking the Postfix logs.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list