On Wed, Jan 18, 2012 at 07:04:46PM -0800, William Yardley wrote: > Running the RHEL 5 version of Postfix (2.3.3), and Cyrus SASL from > version 2.1.22. > > Currently, on an auth failure, saslauthd logs the username to > the auth facility, but not the connecting IP (which presumably > it doesn't know about). smtpd, which presumably does know the > username,
Wrong presumption. > doesn't log it (not sure if this is to prevent logging > in cases where someone sends a password as a username, or what). > > e.g., > Jan 17 04:39:35 earth-doxen postfix/smtpd[14590]: warning: SASL > authentication failure: Password verification failed > Jan 17 04:39:35 earth-doxen postfix/smtpd[14590]: warning: > ool-ad03c852.dyn.optonline.net[173.3.200.82]: SASL PLAIN > authentication failed: authentication failure > > Once a user successfully authenticates, the sasl_username is > logged. > > Do later versions of Postfix log the username for auth failures? > Is there any way to log this information with the version of > Postfix that I have? No, IIUC and in many/most cases it would not be possible, because when AUTH fails, there is no username to log: > $smtpd_banner < EHLO hostname.example > (ehlo response including "250 AUTH PLAIN") < AUTH PLAIN thisStringIsNotValidAUTH Postfix is not equipped to decode that authentication token; it's merely passed along to the SASL implementation you chose. If you are using Dovecot IMAP, you should not be using Cyrus SASL here, and Dovecot by default logs to mail facility. (Not necessarily what you want on a busy server, but in cases like you describe it helps, when using the Dovecot "auth_verbose = yes" setting.) (There are numerous benefits to be had from upgrading to a current, supported Postfix version, but I'll not go into all that here.) > Obviously, it's usually possible to piece together the saslauthd > and smtpd entries to figure out the whole story, but you could > imagine a scenario where there are two authentication failures > within the same second, or where for some other reason things > don't match up perfectly. That can be a problem even with all the logs in one file. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
