Scott Neville <dovecot-in@keystealth.org> writes:
I am trying to use the logs to show the IP that brute force activity comes from, but Im not succeeding. I have read the archives and seen the advice others have had. I can see logs for repeated bad logins, but I need the IP address from the attempts.
... but only for successful logins. The brute force attempts dont log like that:
Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user
This was similar to another complaint several months ago. I conjectured that these attempts are SMTP AUTH, not IMAP, brute forcing. Are you using the dovecot's SASL feature to authenticate outgoing Email (i.e. via Postfix?). Maybe you verify this hypothesis by checking the Postfix logs.
Joseph Tam <jtam.home@gmail.com>