This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Find IP Address of Authentication Failure?

3 posts / 0 new

Topic locked

Last post

#1 Mon, 01/03/2011 - 09:53

webwzrd

Find IP Address of Authentication Failure?

I have a pesky little problem I'd like to resolve. Out of the hundreds of email accounts my server handles, there is one and only one user that can't seem to get their smtp login right and I have numerous authentication failure entries in secure.log.

I'd like to help the client identify which of their computers or phone has the incorrect login, but for the life of me, I can't seem to find the IP address associated with these failures.

Jan 3 09:28:25 secure saslauthd[3674]: pam_succeed_if(smtp:auth): error retrieving information about user user.domain.com.

How can I find the IP?

Brian

#2 Mon, 01/03/2011 - 13:17

andreychek

Howdy,

In the secure log, or possibly in /var/log/maillog, should be a related entry right before the one above that notifies about an incoming connection.

It would look something like:

postfix/smtpd[26671]: connect from HOSTNAME[x.y.z.q] ...

The hostname/IP listed there for the connect should be what you're after.

-Eric

#3 Mon, 01/03/2011 - 14:04

webwzrd

Thanks Eric,

This is the full entry of two of them back to back in secure (nothing else related above or below):

Jan 3 09:27:18 secure saslauthd[3681]: pam_unix(smtp:auth): check pass; user unknown Jan 3 09:27:18 secure saslauthd[3681]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Jan 3 09:27:18 secure saslauthd[3681]: pam_succeed_if(smtp:auth): error retrieving information about user user.domain.com Jan 3 09:28:25 secure saslauthd[3674]: pam_unix(smtp:auth): check pass; user unknown Jan 3 09:28:25 secure saslauthd[3674]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Jan 3 09:28:25 secure saslauthd[3674]: pam_succeed_if(smtp:auth): error retrieving information about user user.domain.com

However by trying to match the time stamp of the above entries with the same period in the maillog, I find:

Jan 3 09:28:25 secure postfix/smtpd[15612]: warning: 1.1.1.1: hostname 1-1-1-1.mobile.mymmode.com verification failed: Name or service not known Jan 3 09:28:25 secure postfix/smtpd[15612]: connect from unknown[1.1.1.1] Jan 3 09:28:27 secure postfix/smtpd[15612]: warning: SASL authentication failure: Password verification failed Jan 3 09:28:27 secure postfix/smtpd[15612]: warning: unknown[1.1.1.1]: SASL PLAIN authentication failed: authentication failure Jan 3 09:28:28 secure postfix/smtpd[15612]: lost connection after AUTH from unknown[1.1.1.1] Jan 3 09:28:28 secure postfix/smtpd[15612]: disconnect from unknown[1.1.1.1]

So if the above entry is the one I'm looking for than the reason I had trouble finding it is that it doesn't identify which account it was for.

At any rate, looks like the mystery is solved.

Thanks again, Brian

Topic locked