Hello! I'm looking for a way to detect and distinguish different kinds of auth failures. Right now, I'm feeling a bit stuck by my inability to get all the data I'd like in one place at the same time.
Right now, we're using SASL authentication with pwcheck. pwcheck, of course, only gets two data: username and password. It can't take any action based on the IP address of the remote. Meanwhile, postfix's logs on failure don't appear to show me the username on failed AUTH attempts. I'd like to be able to distinguish the cases resulting from the intersections of (one password over and over / many different passwords), (one username / many usernames), (one IP address, many IP addresses). With these data, I can take better action to detect, classify, and react to bad actors. I'm happy (I guess) to end up having to write code to make this happen, but I'm not sure where I could do it. -- rjbs
signature.asc
Description: Digital signature
