Find IP Address of Authentication Failure?

webwzrd · January 3, 2011, 3:53pm

I have a pesky little problem I’d like to resolve. Out of the hundreds of email accounts my server handles, there is one and only one user that can’t seem to get their smtp login right and I have numerous authentication failure entries in secure.log.

I’d like to help the client identify which of their computers or phone has the incorrect login, but for the life of me, I can’t seem to find the IP address associated with these failures.

Jan 3 09:28:25 secure saslauthd[3674]: pam_succeed_if(smtp:auth): error retrieving information about user user.domain.com.

How can I find the IP?

Brian

Eric · January 3, 2011, 7:17pm

Howdy,

In the secure log, or possibly in /var/log/maillog, should be a related entry right before the one above that notifies about an incoming connection.

It would look something like:

postfix/smtpd[26671]: connect from HOSTNAME[x.y.z.q] …

The hostname/IP listed there for the connect should be what you’re after.

-Eric

webwzrd · January 3, 2011, 8:04pm

Thanks Eric,

This is the full entry of two of them back to back in secure (nothing else related above or below):

Jan 3 09:27:18 secure saslauthd[3681]: pam_unix(smtp:auth): check pass; user unknown
Jan 3 09:27:18 secure saslauthd[3681]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 3 09:27:18 secure saslauthd[3681]: pam_succeed_if(smtp:auth): error retrieving information about user user.domain.com
Jan 3 09:28:25 secure saslauthd[3674]: pam_unix(smtp:auth): check pass; user unknown
Jan 3 09:28:25 secure saslauthd[3674]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 3 09:28:25 secure saslauthd[3674]: pam_succeed_if(smtp:auth): error retrieving information about user user.domain.com

However by trying to match the time stamp of the above entries with the same period in the maillog, I find:

Jan 3 09:28:25 secure postfix/smtpd[15612]: warning: 1.1.1.1: hostname 1-1-1-1.mobile.mymmode.com verification failed: Name or service not known
Jan 3 09:28:25 secure postfix/smtpd[15612]: connect from unknown[1.1.1.1]
Jan 3 09:28:27 secure postfix/smtpd[15612]: warning: SASL authentication failure: Password verification failed
Jan 3 09:28:27 secure postfix/smtpd[15612]: warning: unknown[1.1.1.1]: SASL PLAIN authentication failed: authentication failure
Jan 3 09:28:28 secure postfix/smtpd[15612]: lost connection after AUTH from unknown[1.1.1.1]
Jan 3 09:28:28 secure postfix/smtpd[15612]: disconnect from unknown[1.1.1.1]

So if the above entry is the one I’m looking for than the reason I had trouble finding it is that it doesn’t identify which account it was for.

At any rate, looks like the mystery is solved.

Thanks again,
Brian