Logging Question: SASL Auth Failures?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Logging Question: SASL Auth Failures?

Jim Seymour-2
Hi All,

Each of the various servers I admin occasionally get inundated with
things like

    Jan 13 07:33:06 jimsun postfix/submission/smtpd[25328]: warning:
    unknown[59.95.95.239]: SASL LOGIN authentication failed:
    UGFzc3dvcmQ6

I want these to go to the auth log, rather than, or in addition to,
the mail log.

Anybody know what is the syslog severity level and facility code
attached to SASL auth errors?

Thanks,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Reply | Threaded
Open this post in threaded view
|

Re: Logging Question: SASL Auth Failures?

Wietse Venema
Jim Seymour:
> Hi All,
>
> Each of the various servers I admin occasionally get inundated with
> things like
>
>     Jan 13 07:33:06 jimsun postfix/submission/smtpd[25328]: warning:
>     unknown[59.95.95.239]: SASL LOGIN authentication failed:
>     UGFzc3dvcmQ6

This warning is produced by Postfix code, not by a SASL library.

> I want these to go to the auth log, rather than, or in addition to,
> the mail log.
>
> Anybody know what is the syslog severity level and facility code
> attached to SASL auth errors?

Postfix uses the same facility (main.cf:syslog_facility) for all
syslog records.

With rsyslogd.conf you can route based on content.

:msg, contains, "SASL LOGIN" /var/log/whatever
:msg, contains, "SASL LOGIN" ~

This is based on information from the web, which is often incorrect.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Logging Question: SASL Auth Failures?

Jim Seymour-2
On Wed, 20 Jan 2021 10:33:37 -0500 (EST)
Wietse Venema <[hidden email]> wrote:

[snip]
>
> With rsyslogd.conf you can route based on content.
>
> :msg, contains, "SASL LOGIN" /var/log/whatever
> :msg, contains, "SASL LOGIN" ~
>
> This is based on information from the web, which is often incorrect.

Ok.  Thanks, Wietse.

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.