New subject: Dovecot for imap with LDAP

9 Aug 2019


      Should dovecot not be using different severity levels like auth.warn? On
my system everything goes to loglevel info:
lev_info:Aug  9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=
lev_info:Aug  9 16:18:29 mail03 dovecot: auth-worker(28656):
pam(krinfo,188.206.104.240,): unknown user
lev_info:Aug  9 16:18:50 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 25 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS: Disconnected, session=
lev_info:Aug  9 16:18:53 mail03 dovecot: auth-worker(28656):
pam(krinfo,188.206.104.240,): unknown user
lev_info:Aug  9 16:19:01 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 8 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=
lev_info:Aug  9 16:19:13 mail03 dovecot: auth-worker(28656):
pam(krinfo,188.206.104.240,): unknown user
lev_info:Aug  9 16:19:15 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=
lev_info:Aug  9 16:19:24 mail03 dovecot: auth-worker(28656):
pam(krinfo,188.206.104.240,): unknown user
lev_info:Aug  9 16:19:26 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=
lev_info:Aug  9 16:19:27 mail03 dovecot: auth-worker(28656):
pam(krinfo,188.206.104.240,): unknown user
lev_info:Aug  9 16:19:29 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=
lev_info:Aug  9 16:19:47 mail03 dovecot: auth-worker(29664):
pam(krinfo,188.206.104.240,<14Pb3a+Pih68zmjw>): unknown user
lev_info:Aug  9 16:19:49 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=<14Pb3a+Pih68zmjw>
lev_info:Aug  9 16:19:51 mail03 dovecot: auth-worker(29664):
pam(krinfo,188.206.104.240,<99cO3q+Pix68zmjw>): unknown user
lev_info:Aug  9 16:19:53 mail03 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x,
lip=x.x.x.x, TLS, session=<99cO3q+Pix68zmjw>
This is how failed attempts are logged by vsftpd
fac_authpriv:Aug  9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth):
Authentication failure; user=xxxxx
fac_authpriv:Aug  9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth):
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxx
rhost=xxxxx  user=xxxxx
fac_ftp:Aug  9 16:24:44 web01 vsftpd[7255]: [xxxxx] FAIL LOGIN: Client
"x.x.x.x"
lev_notice:Aug  9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth):
Authentication failure; user=xxxxx
lev_notice:Aug  9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth):
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxx
rhost=xxxxx  user=xxxxx
lev_warn:Aug  9 16:24:44 web01 vsftpd[7255]: [xxxxx] FAIL LOGIN: Client
"x.x.x.x"
Using dovecot-2.2.36-3.el7.x86_64 on CentOS7

Should dovecot not be using different logging facility and severity levels?

Marc Roos

Joseph Mays

Stuart Henderson

Joseph Mays

Timo Sirainen

tags

participants (4)