Howto show user id for failed authentications attempts
Jesús Ángel del Pozo
jesusangel.delpozo at xolido.com
Wed Oct 13 13:05:31 EEST 2021
Hello,
The problem was I forgot to add the server_set_id = $auth1 line to the
dovecot_login authenticator.
Regards,
Jesús Ángel.
On 11/10/2021 13:35, Jesús Ángel del Pozo wrote:
>
> Hello,
>
> I am using dovecot_authenticator for Exim and I get a lot of
> authentication failure log entries, most of them due to brute force
> attacks. The log entries are like this:
>
> 2021-10-11 13:30:21 dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]: 535 Incorrect authentication data
>
> I wonder whether it would be possible to show the user ID the attacker
> used to authenticate himself.
>
> Here it is the SMTP data for one of these SMTP sessions:
>
> SMTP>> 250-disguised.domain.com Hello [5.188.206.194] [5.188.206.194]
> SMTP<< AUTH LOGIN
> SMTP>> 334 VXNlcm5hbWU6
> received: CONT 1 UGFzc3dvcmQ6
> SMTP>> 334 UGFzc3dvcmQ6
> received: FAIL 1user=webmaster at somedomain.net
> SMTP>> 535 Incorrect authentication data
> LOG: MAIN REJECT
> dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]: 535 Incorrect authentication data
> SMTP>> 421 disguised.domain.com lost input connection
>
> Warm regards,
>
> Jesús Ángel.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20211013/b2ff7b0f/attachment.html>
More information about the dovecot
mailing list