On 11.11.2010, at 17.57, PA wrote: > Yes postfix is configured for SASL so the spammer ip was able to relay email > after it obtained the account info.
Postfix supports Cyrus SASL and Dovecot SASL. You didn't specify which one.. > My concern is how the spammer got the user/pass in the 1st place since > nowhere on the dovecot logs do I see that particular user attempting to > login with the wrong/correct password etc. I should be able to see all login > attempts correct if the user/pass was obtained through a dict. attack? Is > that's the case then most likely the user/password was obtained from the > user's PC and not guessed on the mail server. I am trying to make sense of > what happened and to make sure im not overlooking something on dovecot. Yes, all login attempts via Dovecot are logged, but only if you have auth_verbose=yes. If your Postfix authentications went through Cyrus SASL, then I don't know what it logs.
