Should dovecot not be using different logging facility and severity levels?

Marc Roos M.Roos at f1-outsourcing.eu
Fri Aug 9 17:39:16 EEST 2019



Should dovecot not be using different severity levels like auth.warn? On 
my system everything goes to loglevel info:


lev_info:Aug  9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<UBXJ2K+PYh68zmjw>
lev_info:Aug  9 16:18:29 mail03 dovecot: auth-worker(28656): 
pam(krinfo,188.206.104.240,<LOLx2K+PYx68zmjw>): unknown user
lev_info:Aug  9 16:18:50 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 25 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS: Disconnected, session=<LOLx2K+PYx68zmjw>
lev_info:Aug  9 16:18:53 mail03 dovecot: auth-worker(28656): 
pam(krinfo,188.206.104.240,<qJOm2q+Pax68zmjw>): unknown user
lev_info:Aug  9 16:19:01 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 8 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<qJOm2q+Pax68zmjw>
lev_info:Aug  9 16:19:13 mail03 dovecot: auth-worker(28656): 
pam(krinfo,188.206.104.240,<k8/X26+Pch68zmjw>): unknown user
lev_info:Aug  9 16:19:15 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<k8/X26+Pch68zmjw>
lev_info:Aug  9 16:19:24 mail03 dovecot: auth-worker(28656): 
pam(krinfo,188.206.104.240,<MjBy3K+Pfh68zmjw>): unknown user
lev_info:Aug  9 16:19:26 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<MjBy3K+Pfh68zmjw>
lev_info:Aug  9 16:19:27 mail03 dovecot: auth-worker(28656): 
pam(krinfo,188.206.104.240,<oRmo3K+Pfx68zmjw>): unknown user
lev_info:Aug  9 16:19:29 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<oRmo3K+Pfx68zmjw>
lev_info:Aug  9 16:19:47 mail03 dovecot: auth-worker(29664): 
pam(krinfo,188.206.104.240,<14Pb3a+Pih68zmjw>): unknown user
lev_info:Aug  9 16:19:49 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<14Pb3a+Pih68zmjw>
lev_info:Aug  9 16:19:51 mail03 dovecot: auth-worker(29664): 
pam(krinfo,188.206.104.240,<99cO3q+Pix68zmjw>): unknown user
lev_info:Aug  9 16:19:53 mail03 dovecot: imap-login: Aborted login (auth 
failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, 
lip=x.x.x.x, TLS, session=<99cO3q+Pix68zmjw>


This is how failed attempts are logged by vsftpd

fac_authpriv:Aug  9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth): 
Authentication failure; user=xxxxx
fac_authpriv:Aug  9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxx 
rhost=xxxxx  user=xxxxx
fac_ftp:Aug  9 16:24:44 web01 vsftpd[7255]: [xxxxx] FAIL LOGIN: Client 
"x.x.x.x"
lev_notice:Aug  9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth): 
Authentication failure; user=xxxxx
lev_notice:Aug  9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxx 
rhost=xxxxx  user=xxxxx
lev_warn:Aug  9 16:24:44 web01 vsftpd[7255]: [xxxxx] FAIL LOGIN: Client 
"x.x.x.x"


Using dovecot-2.2.36-3.el7.x86_64 on CentOS7






More information about the dovecot mailing list