On 07/12/10 11:43 +0200, Tom Kinghorn wrote:
Good morning.
Firstly, please forgive me for posting here.
I am new to Cyrus and have tried google, with no luck.
I have inherited a SLES 11 server with postix & amavisd-new.
The logs are full of LOGIN failures but it does not show the username
which failed.
postfix/smtpd[11881]: warning: unknown[41.145.221.103]: SASL LOGIN
authentication failed: authentication failure
Is it possible to do this?
I would like to see the failed username in order to act on accounts
which have been compromised.
What does your /etc/postfix/sasl/smtpd.conf SASL config look like?
If you're using saslauthd (pwcheck_method: saslauthd), you should see
failed PAM authentication attempts in the log file you're capturing syslog
auth.* to, or you could try running saslauthd in debug mode.
Otherwise (pwcheck_method: auxprop), I'm not aware of a way to log the
username of a failed authentication attempt in your logs. You may see them
in a pcap trace, since LOGIN is a plaintext authentication mechanism, with
something like:
tcpdump -n -s0 -w/tmp/capture.pcap host 41.145.221.103 and port 25
--
Dan White
