Re: auth-worker doesn't systematically log the IP

Mon, 22 Jul 2024 11:08:03 -0700 


> On 22/07/2024 19:14 EEST Yassine Chaouche via dovecot <dovecot@dovecot.org> 
> wrote:
> 
>  
> Dear list,
> 
> look at this grep auth-worker | nl output from my dovecot log :
> 
>     166  Jul 22 15:49:47 auth-worker(24409): Info: 
> sql(hakim.boukha...@domain.tld): unknown user
>     167  Jul 22 15:49:47 auth-worker(13026): Info: sql(p...@domain.tld): 
> unknown user
>     168  Jul 22 15:53:00 auth-worker(13026): Info: 
> sql(feriel.ab...@domain.tld,10.10.10.19): Password mismatch
>     169  Jul 22 15:53:15 auth-worker(13026): Info: 
> sql(feriel.ab...@domain.tld,10.10.10.19): Password mismatch
>     170  Jul 22 15:55:26 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     171  Jul 22 15:59:30 auth-worker(13026): Info: 
> sql(radioaintemouchent.domain.tld,10.10.10.19): unknown user
>     172  Jul 22 15:59:43 auth-worker(13026): Info: 
> sql(mouadouss...@radioalgerie.dz): unknown user
>     173  Jul 22 16:00:38 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     174  Jul 22 16:00:58 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     175  Jul 22 16:02:01 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     176  Jul 22 16:09:35 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     177  Jul 22 16:09:42 auth-worker(13026): Info: sql(p...@domain.tld): 
> unknown user
>     178  Jul 22 16:10:11 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     179  Jul 22 16:15:37 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     180  Jul 22 16:26:55 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     181  Jul 22 16:32:01 auth-worker(13026): Info: sql(it_...@domain.tld): 
> unknown user
>     182  Jul 22 16:35:37 auth-worker(19555): Info: sql(it_...@domain.tld): 
> unknown user
> 
> As you can see,
> sometimes the IP addresses of the dubious login attempts are noted,
> other times this crucial piece of evidence is conspicuously absent.
> 
> I am wondering what is the source of all those login attempts?
> or could those be mere username lookups instead to test for mail 
> deliverability?
> 
> Many thanks,
> 
> -- 
> yassine -- sysadm

You would probably want to use the new event based system for these logs:

event_exporter log {
  format = json
  format_args = time-rfc3339
  transport = log
}

metric auth_failed {
  event=filter=auth_request_finished and not success=yes
  exporter=log
}

Aki
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to