Postfix/Courier failed logins log location?

[stealthy]

Many thanks to Falko for the awesome tut http://www.howtoforge.com/virtual-us...l-ubuntu-12.10 .

One thing, however, is lacking, which involves security and protection against brute force attacks. In my humble opinion, security should be part of every tutorial.

I am using Ubuntu 12.10 and can't figure out the location of the logs that would record the falied SMTP, POP3, IMAP logins.

Would Falko or anyone tell us in which log these records might be, how to enable the logging? How the failed authentication attempts look, so we might set up fail2ban filter to block brute force attacks.

Vielen Dank!

[stealthy]

Looking at the tut, the auth mechanism is PAM, so the log should be /var/log/auth.log

I can see this in auth.log. Is this the authentication attempt?

Code:

Jan 23 08:16:45 romeo postfix/smtps/smtpd[24047]: sql auxprop plugin using mysql engine
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: begin transaction
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin create statement from userPassword name domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin doing query select password from users where email = 'name@domain.com';
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: commit transaction
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'

Where's the POP3 login record?

And how does a failed authentication attempt look like?

[falko]

Check out /var/log/mail.log.

[stealthy]

Quote:

Originally Posted by falko

Check out /var/log/mail.log.

That log has nothing of value in regards of the information that I am after.

Having done some of my research, the pop3 authentication is defined in Curier, namely

Code:

/etc/courier/authdaemonrc

and

Code:

/etc/courier/po3d-ssl

. See this URL for more information:

http://www.courier-mta.org/authlib/R...authdebug.html

After changing the setting

Code:

DEBUG_LOGIN=1

and enabling the debug info to be in the log (must issue "

Code:

authdaemond stop

" and "

Code:

authdaemond start

" commands), I finally got some half-useful information about the POP3 user getting logged.

However, I am not done in my quest of finding out which ciphers are being negotiated and chosen when making the POP3 handshake. The file

Code:

/etc/courier/po3d-ssl

lets you define some cipher options, but I need the know the actual log of the event.