Hi, To answer the original Hadmut question: I believe that in order to log both postfix and saslauthd to the same file, you should configure both of them to use same logging backend (syslog), and configure that backend to save their logs to the same place.
However, depending on your server load: if you receive two login attempts at the same time, then can you distinguish which saslauthd log line correspond to which postfix line? Hence, I also can't stop myself from describing how I'm logging ip/login/password of failed login attempts to my server. I believe it's not "best practice", but hopefully someone will find it interesting or amusing. Apparently, you can use nginx as reverse-proxy for smtp connections[1] (remember to enable XCLIENT in both nginx and postfix configs or your server might turn into an open relay) - it can strip ssl/starttls and forward plaintext smtp to postfix, and also check username/password. As part of configuring it, you need to setup an "http_auth" server[2] - it receives remote IP, username and password (or MAIL FROM and RCPT TO email addresses in case remote client decided to send message without authentication) and tells nginx IP address of postfix server. In simplest case it can be configured using 6~9 lines of nginx config itself[3]. But it can as well be any HTTP server doing anything you like, like logging all ip/username/password combinations or forwarding connections to different servers based on first letter of recepient username. If anyone is interested, my current config is at https://github.com/Lex-2008/containers/blob/master/nginx.cont/data/conf/nginx.conf#L84 and HTMLized last ~1000 lines of log at http://alexey.shpakovsky.ru/en/login-attempts.html I'm not really sure that's the solution that you're looking for, but hopefully someone will find it interesting or amusing. Links: [1]: https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/ [2]: https://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol [3] simple auth server: https://github.com/Lex-2008/containers/blob/311aa65ff7ba723b01e8e6f1f23cff67dcb0a700/nginx.cont/data/conf/nginx.conf#L56-L65 Thanks, Aleksei. On Fri, Jul 30, 2021 at 4:50 PM Hadmut Danisch <[email protected]> wrote: > Hi, > > we are experiencing permanent high traffic from numerous sites trying to > smtp auth to our postfix node, obviously trying to brute force password > dictionaries against mail address lists probably taken from spam lists > (including lots of oder message ids with the same syntax as mail > addresses). > > For some reason beyond the common noise we need to do some deeper > analysis about who is trying which user account from where. > > Unfortunately, the required data, i.e. client IP address and username > are distributed in different log files. The IP address is written to > postfix's log, while the username is in saslauthd's log in case of > failure, with the time stamp as the only link between both. > > > Is there some best current practice or recommended log config to analyze > persistent login attempts? > > > (We are considering to limit smtp auth to the submission port 587 and > have a blacklist for that in the firewall, but maintaining such a > blacklist still requires to understand, who is attacking and how.) > > > regards > > Hadmut > > > > > > -- Aleksei Shpakovskii Quality Automation Engineer / Release Coordinator CFEngine / Northern.tech
