Sorry for the multiple sends, as I mentioned, I wasn't sure if the
originals got through... apologies for the duplicates!
To update:
One thing I just realized is that the error messages are from
sm-scanner, not sm-acceptingconnections... not sure if that means
anything or not, except that sm-scanner doesn't log the connecting
IP, it just seems to log the relay IP.
For users who use TLS, I can see their authentications in
/var/log/maillog, but users who authenticate without TLS don't show
up there as far as I can tell.
So, basically, I'm trying to find out if there's a way to get
sendmail or SASL to log the sending (authenticated) user, not just
the recipient.
Thanks.
--- Amir
At 12:04 PM -0600 08/26/2012, Amir 'CG' Caspi wrote:
Hi,
Is there any way for me to see who has performed a
_successful_ SMTP auth with saslauthd?
I'm running CentOS 5.8, using sendmail and saslauthd for SMTP
auth. Auth is required for any sending of outside mail... while
looking at my SMTP logs, it appears that a user account may have been
compromised, as I see entries that look like the following:
Aug 26 13:41:58 kismet sm-scanner[12936]: q7NJUPhL023672: to=<xxx>,
delay=2+22:11:32, xdelay=00:00:01, mailer=esmtp, pri=25320000,
relay=xxx. [xxx], dsn=4.1.1, stat=Deferred: 450 4.1.1 <xxx>:
Recipient address rejected: unverified address: unknown user: "xxx"
I don't have any open relaying enabled, SMTP AUTH is required, so
this suggests that a user account has been compromised.
However... I can't figure out how to check WHICH user
account! /var/log/secure contains error messages when a user FAILS
to authenticate... but there are no log messages for success.
So, I can't figure out which user is the one performing
successful auth prior to these clear spam attempts.
Any help would be greatly appreciated... and ASAP since I want to
terminate these spam issues immediately.
Thanks!!
--- Amir
