On 11.11.2010, at 17.57, PA wrote:
Yes postfix is configured for SASL so the spammer ip was able to relay email after it obtained the account info.
Postfix supports Cyrus SASL and Dovecot SASL. You didn't specify which one..
My concern is how the spammer got the user/pass in the 1st place since nowhere on the dovecot logs do I see that particular user attempting to login with the wrong/correct password etc. I should be able to see all login attempts correct if the user/pass was obtained through a dict. attack? Is that's the case then most likely the user/password was obtained from the user's PC and not guessed on the mail server. I am trying to make sense of what happened and to make sure im not overlooking something on dovecot.
Yes, all login attempts via Dovecot are logged, but only if you have auth_verbose=yes.
If your Postfix authentications went through Cyrus SASL, then I don't know what it logs.