On 04/08/2024 13:17, Serhii via dovecot wrote:
I am trying to implement logging of all failed authentication attempts to catch bruteforce automatically. Currently, I have the following configuration: ...
But for me it doesn't look like what is specified in docs[1]:
Field | Description --- error | Set when error happens success | yes, when authentication succeeded policy_penalty | Time of penalty added by policy server policy_result | Values: ok, delayed, refused
Why I don't see neither "success" and "error" field in logs? Also, why policy_result is ok despite I am logging only failed authentication attempts? From postfix I can see that those attempts were actually failed:
Hi Serhii the way the code currently works is that "success: yes" is the only possible value. When the authentication is not successful the "success" is not present. i.e. there is no "success: no". You're not seeing any "success" values since the code only produces "success: yes" and you've filtered that out. As to why you're not seeing any error, my suspicion is that it is unintentional. If I am right about that then the following patch in the function auth_request_fail_with_reply(...) could solve it. It now logs error: authentication failed. --- dovecot-2.3.21-orig/src/auth/auth-request.c 2023-09-14 15:17:46.000000000 +0200 +++ dovecot-2.3.21/src/auth/auth-request.c 2024-08-04 14:43:03.837000812 +0200 @@ -303,7 +303,7 @@ stats = auth_request_stats_get(request); stats->auth_failure_count++; } - + request->failed = TRUE; auth_request_set_state(request, AUTH_REQUEST_STATE_FINISHED); auth_request_refresh_last_access(request); auth_request_log_finished(request); The need for something like this also seems to be warranted by the fact that internal failures on authentication only get reported by the event logging if request->failed is set and I couldn't see anywhere that happens. With the above patch these will also now be logged if there is a call to the function auth_request_internal_failure(...) I also think that the above patch may not deal with all the cases where there is an internal failure in authentication, but those are a bit harder to test. There may still be some cases where there is neither a success or error, and those cases should still be treated as failures or subject to further patching. John