[Dovecot] logging of failed SASL usernames
as far as i understand postfix has no way to know the username of such failed logins like below, IMHO dovecot internally does because it verifies against the sql-userdatabase
is there a way that dovecot logs the username?
after ask the users to change their passwords for safety caused by Heartbleed it was easy to write a tool find forgotten devices in case of IMAP/POP3 but especially Apple clients force to enter the new password seperated for incoming and outgoing server and don't tell the user if things don't work
so there is really a need support them and fuzzy logic based on the last successful IMAP/POP3 login from a IP and failed send attempts from the same IP shortly after receive mail leaves a bad taste of only a guess
May 18 11:19:09 mail postfix/smtpd[5173]: warning: unknown[177.139.182.86]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 18 11:19:15 mail postfix/smtpd[5173]: warning: unknown[177.139.182.86]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 18 May 2014, Reindl Harald wrote:
is there a way that dovecot logs the username?
Did you've tried:
# Log unsuccessful authentication attempts and the reasons why they failed. #auth_verbose = no
maybe auth_debug?
I would suppose that this setting applies to all auth attempts.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU3muOXz1H7kL/d9rAQJzTAf/R7FWiGcO98/u8SlVZhb+82pMLggs/+tx C7ZSPM7u8b1JA3pmSf4YC750ufxnWjlrgVHwtnEuBfgE6kLd18zvyV97Edy4oF8Z n5oRX9e9bAJnY/Q8Y85tIdDJ5RYBAYwM/qybGhUwg+BEI6hOdGbAtV3u7BpV6t1/ H4qouUWvONaKuZX8dWJy0Xd7zTHbXzyOjmzr3dqQsHZE+27hJ+OmBemToxhB+6Wz ZEFDDXEQmsG9md/wusBCXkeqZBiplgYBb531WjtMY+PInrrVta8nylFGahkE99r3 u3YvfkUxmLflb29xbKQdQkIfGHgbJQcB8PXx9+/XYM6RHN92kjWKoQ== =8XnD -----END PGP SIGNATURE-----
Am 19.05.2014 09:09, schrieb Steffen Kaiser:
On Sun, 18 May 2014, Reindl Harald wrote:
is there a way that dovecot logs the username?
Did you've tried:
# Log unsuccessful authentication attempts and the reasons why they failed. #auth_verbose = no
maybe auth_debug?
I would suppose that this setting applies to all auth attempts
i talk about standard logging in a production environment not for a short period of debugging but always and forever, the current postfix "login failed" log is unhelpful
if it logs failed POP3/IMAP logins without debug mode why not SASL auth?
participants (2)
-
Reindl Harald
-
Steffen Kaiser