On Sun, 2013-07-28 at 19:58 +0200, Grzegorz Staniak wrote: > Hi, > > Are log lines like the following: > > Jul 28 15:30:50 mx1.somewhere dovecot: auth-worker(18980): > sql(user@domain,217.67.x.x): unknown user > Jul 28 15:32:56 mx1.somewhere dovecot: auth-worker(18980): > sql(user@domain,212.182.x.x): Password mismatch > > written every time any authetntication phase fails, in SASL as well as > in POP3/IMAP mailbox access? I have a legacy app that would gain a lot > if I could distinguish between failed SASL authentication and failed > POP3/IMAP authentication. I know I can use the "auth failed" lines for > the latter case, and postfix log lines in the former, but they don't > contain user info. Is there a way for log monitoring software to get > failed login lines with both user info, and the reason (SASL, POP3, > IMAP)?
With newer Dovecot versions the auth log lines include <sessionid>. Simplest way to differentiate then POP3/IMAP vs SMTP is to see if there is a <sessionid> at all, becauseSMTP doesn't (currently at least) provide one.
