[Dovecot] Authentication Error Message formats
I have been using UW's IMAP server and I am converting to Dovecot for Maildir support. When a user fails authentication, or a user does not exist, it appears that the same message is used for these events. Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)? Clearly these two failures indicate a different error in the system. One that some forgot their password, the other indicates a dictionary attack. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ABS Computer Technology, Inc. http://www.ABS-CompTech.com - Email, Internet and Security Consultants SPAMZapper http://www.Spam-Zapper.com - No-JunkMail.com http://www.No-JunkMail.com - *True Spam Elimination*.
Re: [Dovecot] Authentication Error Message formats
On 10/29/2008, Albert E. Whale ([EMAIL PROTECTED]) wrote: When a user fails authentication, or a user does not exist, it appears that the same message is used for these events. When asking for help, it is always a good idea to provide some basic info... in this case, sample log entries from failed events, and output of dovecot -n? -- Best regards, Charles
Re: [Dovecot] Authentication Error Message formats
On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote: I have been using UW's IMAP server and I am converting to Dovecot for Maildir support. When a user fails authentication, or a user does not exist, it appears that the same message is used for these events. Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)? To user: no. In logs: yes, with auth_verbose=yes. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Authentication Error Message formats
Charles Marcus wrote: On 10/29/2008, Albert E. Whale ([EMAIL PROTECTED]) wrote: When a user fails authentication, or a user does not exist, it appears that the same message is used for these events. When asking for help, it is always a good idea to provide some basic info... in this case, sample log entries from failed events, and output of dovecot -n? Thank Charles, my apologies. Here is the Logging info: Oct 29 09:43:12 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=darrel, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:15 192.168.50.5 dovecot: auth-worker(default): pam(darrel,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:17 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=darrel, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:20 192.168.50.5 dovecot: auth-worker(default): pam(darrel,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:22 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=darrel, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 And my dovecot.conf is attached. BTW, these entries are samples of invalid users. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ABS Computer Technology, Inc. http://www.ABS-CompTech.com - Email, Internet and Security Consultants SPAMZapper http://www.Spam-Zapper.com - No-JunkMail.com http://www.No-JunkMail.com - *True Spam Elimination*. ns6.ABS-CompTech.com root [/root] dovecot -n # 1.1.4: /etc/dovecot.conf base_dir: /var/run/dovecot/ protocols: imap pop3 ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_greeting: SpamZapper Email ready. mail_max_userip_connections(default): 10 mail_max_userip_connections(imap): 10 mail_max_userip_connections(pop3): 3 verbose_proctitle: yes mail_privileged_group: mail mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u mail_debug: yes mmap_disable: yes mail_nfs_storage: yes mail_nfs_index: yes lock_method: dotlock mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 pop3_uidl_format(default): %08Xu%08Xv pop3_uidl_format(imap): %08Xu%08Xv pop3_uidl_format(pop3): %08Xv%08Xu auth default: username_format: %Lu verbose: yes debug: yes passdb: driver: passwd-file args: /home/dovecot.passwd passdb: driver: pam userdb: driver: passwd-file args: /home/dovecot.passwd userdb: driver: passwd
Re: [Dovecot] Authentication Error Message formats
Timo Sirainen wrote: On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote: I have been using UW's IMAP server and I am converting to Dovecot for Maildir support. When a user fails authentication, or a user does not exist, it appears that the same message is used for these events. Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)? To user: no. In logs: yes, with auth_verbose=yes. Timo, Thank you. I already have auth_verbose=yes. Here is what I am seeing: Oct 29 09:43:31 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=darrin, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:36 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=darrin, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:38 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:40 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=darrin, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 These attempts to authenticate Darrin will not complete, as this is not a valid user. The IP Address 217.168.145.51 was cycling through 1364 attempts. I would like to identify this type of activity sooner, as this is not a valid user. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ABS Computer Technology, Inc. http://www.ABS-CompTech.com - Email, Internet and Security Consultants SPAMZapper http://www.Spam-Zapper.com - No-JunkMail.com http://www.No-JunkMail.com - *True Spam Elimination*.
Re: [Dovecot] Authentication Error Message formats
On Wed, 2008-10-29 at 11:17 -0400, Albert E. Whale wrote: Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure .. These attempts to authenticate Darrin will not complete, as this is not a valid user. The IP Address 217.168.145.51 was cycling through 1364 attempts. I would like to identify this type of activity sooner, as this is not a valid user. OK, so you're using PAM. PAM doesn't tell Dovecot why the authentication failed. There are two possible solutions for your problem: a) Look at PAM's own log (auth.log probably) instead. It probably tells the reason. b) Don't use PAM. signature.asc Description: This is a digitally signed message part