On Sun, 2013-07-28 at 19:58 +0200, Grzegorz Staniak
wrote:> Hi,
>
> Are log lines like the following:
>
> Jul 28 15:30:50 mx1.somewhere dovecot: auth-worker(18980):
> sql(user at domain,217.67.x.x): unknown user
> Jul 28 15:32:56 mx1.somewhere dovecot: auth-worker(18980):
> sql(user at domain,212.182.x.x): Password mismatch
>
> written every time any authetntication phase fails, in SASL as well as
> in POP3/IMAP mailbox access? I have a legacy app that would gain a lot
> if I could distinguish between failed SASL authentication and failed
> POP3/IMAP authentication. I know I can use the "auth failed"
lines for
> the latter case, and postfix log lines in the former, but they don't
> contain user info. Is there a way for log monitoring software to get
> failed login lines with both user info, and the reason (SASL, POP3,
> IMAP)?
With newer Dovecot versions the auth log lines include <sessionid>.
Simplest way to differentiate then POP3/IMAP vs SMTP is to see if there
is a <sessionid> at all, becauseSMTP doesn't (currently at least)
provide one.