----- Message from Timo Sirainen <tss@iki.fi> --------- Date: Mon, 5 Dec 2011 21:49:15 +0200 From: Timo Sirainen <tss@iki.fi> Reply-To: Dovecot Mailing List <dovecot@dovecot.org> Subject: Re: [Dovecot] MS Exchange IMAP Proxy (Logging Auth Failures?) To: Terry Carmen <terry@cnysupport.com> Cc: dovecot@dovecot.org
On 5.12.2011, at 19.16, Terry Carmen wrote:
It's working beautifully!
Is there any way to get it to log failed login attempts with the
user's IP address?auth_verbose=yes
Got it.
syslog_facility = mail auth_verbose = yes auth_verbose_passwords = plain auth_debug = yes mail_debug = yes
I'm sure they're not all necessary. I was turning on all the logging I
could find. 8-)
The log looks like this:
Dec 5 15:29:49 it dovecot: auth: Debug: auth client connected (pid=12028)
Dec 5 15:30:03 it dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=10.1.2.3#011rip=123.123.123.123#011lport=143#011rport=40816#011resp=<hidden>
Dec 5 15:30:03 it dovecot: auth: Debug:
imap(username,123.123.123.123): lookup host=10.1.16.226 port=143
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143): Looking
up IP address
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143):
Connecting to 10.1.2.3:143
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143): Server
capabilities: IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS
NAMESPACE LITERAL+ UIDPLUS CHILDREN AUTH=NTLM
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.2.3:143):
Authenticating as username
Dec 5 15:30:03 it dovecot: auth: Debug: imapc(10.1.16.226:143): Disconnected
Dec 5 15:30:05 it dovecot: auth: Debug: client out:
FAIL#0111#011user=username
The last line *almost* gets me enough for a fail2ban filter, but not
quite, since there's no IP address.
Is there something else I can turn on?
Thanks,
Terry