Many thanks to Falko for the awesome tut http://www.howtoforge.com/virtual-u...x-courier-mysql-and-squirrelmail-ubuntu-12.10 . One thing, however, is lacking, which involves security and protection against brute force attacks. In my humble opinion, security should be part of every tutorial. I am using Ubuntu 12.10 and can't figure out the location of the logs that would record the falied SMTP, POP3, IMAP logins. Would Falko or anyone tell us in which log these records might be, how to enable the logging? How the failed authentication attempts look, so we might set up fail2ban filter to block brute force attacks. Vielen Dank!
Looking at the tut, the auth mechanism is PAM, so the log should be /var/log/auth.log I can see this in auth.log. Is this the authentication attempt? Code: Jan 23 08:16:45 romeo postfix/smtps/smtpd[24047]: sql auxprop plugin using mysql engine Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username [email protected] Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1' Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: begin transaction Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin create statement from userPassword name domain.com Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin doing query select password from users where email = '[email protected]'; Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: commit transaction Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username [email protected] Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1' Where's the POP3 login record? And how does a failed authentication attempt look like?
That log has nothing of value in regards of the information that I am after. Having done some of my research, the pop3 authentication is defined in Curier, namely Code: /etc/courier/authdaemonrc and Code: /etc/courier/po3d-ssl . See this URL for more information: http://www.courier-mta.org/authlib/README.authdebug.html After changing the setting Code: DEBUG_LOGIN=1 and enabling the debug info to be in the log (must issue " Code: authdaemond stop " and " Code: authdaemond start " commands), I finally got some half-useful information about the POP3 user getting logged. However, I am not done in my quest of finding out which ciphers are being negotiated and chosen when making the POP3 handshake. The file Code: /etc/courier/po3d-ssl lets you define some cipher options, but I need the know the actual log of the event.
