[Mimedefang] detect failed auth

David F. Skoll dfs at roaringpenguin.com
Wed Sep 10 10:29:29 EDT 2014


On Wed, 10 Sep 2014 16:08:31 +0200
Frank Doepper <fd at taz.de> wrote:

> Unfortunately saslauthd does not log the IP address.

Ah.  This apparently is a long-standing problem:

http://objectmix.com/sendmail/760733-getting-ip-address-failed-authentications.html

I believe if you increase the Sendmail log level to higher than 9, it
will log lines like this:

Sep 10 10:27:46 vanadium sm-mta[2670]: s8AEQtDU002670: AUTH failure (PLAIN): authentication failure (-13) SASL(-13): authentication failure: Password verification failed

which unfortunately does NOT include the remote IP.  However, later
on if the client disconnects, you'll get:

Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: dfs at hydrogen.roaringpenguin.com [192.168.10.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6

so you have to correlate those lines based on queue-ID to figure out which
IP is failing AUTH.

All in all, quite painful.  And the default log level is 9, so these
messages are not usually logged.

Regards,

David.



More information about the MIMEDefang mailing list