Unfortunately, the required data, i.e. client IP address and username
are distributed in different log files. The IP address is written to
postfix's log, while the username is in saslauthd's log in case of
failure, with the time stamp as the only link between both.
Is there some best current practice or recommended log config to
analyze
persistent login attempts?
This is kind of a dovecot thing more than a postfix thing. One option
is...
In dovecot core conf:
auth_verbose = yes
auth_verbose_passwords=sha1
If using rsyslog for logging you can separate logins to their own log
for easier scanning:
if $programname == "dovecot" and $msg startswith "auth-worker" then {
-/var/log/mail/dovecot_auth
stop
}
Would give you logs with the user, IP and the hashed password tried to
see if its repeating same password (dumb client) vs brute force:
Jul 30 11:05:11 mx dovecot[9737]: auth-worker(12362): conn
unix:auth-worker (pid=12361,uid=97): auth-worker<1>:
sql(t...@example.com,100.101.102.103,<DFbMi1jIU9BoiAwp>): Password
mismatch (given password: <REDACTED>)