Paul Kudla:
> 
> ok i had similiar issues and ended up patching the sasl auth system 
> inside postfix to include login username & IP ADDRESS
> 
> this gave a single log file entry (syslog, file whatever postfix was 
> configured to do) showing that the account had been accessed for sending 
> an email
> 
> example :
> 
> mail19      10-24 08:13:38 {postfix.in}     [5814]  (1222052179) Oct 24 
> 08:13:38 mail19 postfix/smtpd[5814]: 09B192D2C2B:
>  
> client=174-138-211-141.cpe.distributel.net[174.138.211.141], 
> sasl_method=PLAIN, [email protected]

Postfix logs the above information after successful login. That
is all the information you need to block a compromised account.

It's not safe to always log the username after failure, becasue
users sometimes enter their password in the wrong place. If you log
the username you should verify that the name is valid.

        Wietse

Reply via email to