Hello,
The problem was I forgot to add the server_set_id = $auth1 line to the
dovecot_login authenticator.
Regards,
Jesús Ángel.
On 11/10/2021 13:35, Jesús Ángel del Pozo wrote:
Hello,
I am using dovecot_authenticator for Exim and I get a lot of
authentication failure log entries, most of them due to brute force
attacks. The log entries are like this:
2021-10-11 13:30:21 dovecot_login authenticator failed for ([5.188.206.194])
[5.188.206.194]: 535 Incorrect authentication data
I wonder whether it would be possible to show the user ID the attacker
used to authenticate himself.
Here it is the SMTP data for one of these SMTP sessions:
SMTP>> 250-disguised.domain.com Hello [5.188.206.194] [5.188.206.194]
SMTP<< AUTH LOGIN
SMTP>> 334 VXNlcm5hbWU6
received: CONT 1 UGFzc3dvcmQ6
SMTP>> 334 UGFzc3dvcmQ6
received: FAIL 1user=webmas...@somedomain.net
SMTP>> 535 Incorrect authentication data
LOG: MAIN REJECT
dovecot_login authenticator failed for ([5.188.206.194]) [5.188.206.194]:
535 Incorrect authentication data
SMTP>> 421 disguised.domain.com lost input connection
Warm regards,
Jesús Ángel.
