Postfix/Courier failed logins log location?

Discussion in 'Server Operation' started by stealthy, Jan 23, 2013.

  1. stealthy

    stealthy New Member

    Many thanks to Falko for the awesome tut http://www.howtoforge.com/virtual-u...x-courier-mysql-and-squirrelmail-ubuntu-12.10 .

    One thing, however, is lacking, which involves security and protection against brute force attacks. In my humble opinion, security should be part of every tutorial.

    I am using Ubuntu 12.10 and can't figure out the location of the logs that would record the falied SMTP, POP3, IMAP logins.

    Would Falko or anyone tell us in which log these records might be, how to enable the logging? How the failed authentication attempts look, so we might set up fail2ban filter to block brute force attacks.

    Vielen Dank!
     
    Last edited: Jan 23, 2013
  2. stealthy

    stealthy New Member

    Looking at the tut, the auth mechanism is PAM, so the log should be /var/log/auth.log

    I can see this in auth.log. Is this the authentication attempt?
    Code:
    Jan 23 08:16:45 romeo postfix/smtps/smtpd[24047]: sql auxprop plugin using mysql engine
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: begin transaction
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin create statement from userPassword name domain.com
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin doing query select password from users where email = 'name@domain.com';
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: commit transaction
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin Parse the username name@domain.com
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin try and connect to a host
    Jan 23 08:16:46 romeo postfix/smtps/smtpd[24047]: sql plugin trying to open db 'mail' on host '127.0.0.1'
    
    Where's the POP3 login record?

    And how does a failed authentication attempt look like?
     
    Last edited: Jan 23, 2013
  3. falko

    falko Super Moderator

    Check out /var/log/mail.log.
     
  4. stealthy

    stealthy New Member

    That log has nothing of value in regards of the information that I am after.

    Having done some of my research, the pop3 authentication is defined in Curier, namely
    Code:
    /etc/courier/authdaemonrc
    and
    Code:
    /etc/courier/po3d-ssl
    . See this URL for more information:

    http://www.courier-mta.org/authlib/README.authdebug.html

    After changing the setting
    Code:
    DEBUG_LOGIN=1
    and enabling the debug info to be in the log (must issue "
    Code:
    authdaemond stop
    " and "
    Code:
    authdaemond start
    " commands), I finally got some half-useful information about the POP3 user getting logged.

    However, I am not done in my quest of finding out which ciphers are being negotiated and chosen when making the POP3 handshake. The file
    Code:
    /etc/courier/po3d-ssl
    lets you define some cipher options, but I need the know the actual log of the event.
     

Share This Page