I am trying to implement logging of all failed authentication attempts to catch
bruteforce automatically. Currently, I have the following configuration:
event_exporter log {
format = json
format_args = time-rfc3339
transport = log
}
metric auth_fail {
filter = event=auth_request_finished and not success=yes
exporter = log
}
However, in logs I only see events similar to this:
{
"event": "auth_request_finished",
"hostname": "cheems",
"start_time": "2024-08-04T00:00:04.079723Z",
"end_time": "2024-08-04T00:00:12.224906Z",
"categories": [
"service:auth",
"auth"
],
"fields": {
"duration": 8145091,
"policy_result": "ok",
"mechanism": "LOGIN",
"transport": "trusted",
"service": "smtp",
"local_ip": "195.201.247.11",
"real_local_ip": "195.201.247.11",
"remote_ip": "185.29.xx.xx",
"real_remote_ip": "185.29.xx.xx",
"original_user": "[email protected]",
"user": "[email protected]",
"translated_user": "[email protected]"
}
}
But for me it doesn't look like what is specified in docs[1]:
Field | Description
---
error | Set when error happens
success | yes, when authentication succeeded
policy_penalty | Time of penalty added by policy server
policy_result | Values: ok, delayed, refused
Why I don't see neither "success" and "error" field in logs? Also, why
policy_result is ok despite I am logging only failed authentication attempts? From postfix I can
see that those attempts were actually failed:
Aug 04 00:00:14 cheems postfix/smtpd[2362656]: warning:
unknown[185.29.xx.xx]:54330: SASL LOGIN authentication failed: (reason
unavailable), [email protected]
[1]: https://doc.dovecot.org/admin_manual/list_of_events/#auth-request-finished
--
Send unsolicited bulk mail to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
