Marc Roos
2019-Aug-09 14:39 UTC
Should dovecot not be using different logging facility and severity levels?
Should dovecot not be using different severity levels like auth.warn? On my system everything goes to loglevel info: lev_info:Aug 9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<UBXJ2K+PYh68zmjw> lev_info:Aug 9 16:18:29 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,<LOLx2K+PYx68zmjw>): unknown user lev_info:Aug 9 16:18:50 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 25 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS: Disconnected, session=<LOLx2K+PYx68zmjw> lev_info:Aug 9 16:18:53 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,<qJOm2q+Pax68zmjw>): unknown user lev_info:Aug 9 16:19:01 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 8 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<qJOm2q+Pax68zmjw> lev_info:Aug 9 16:19:13 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,<k8/X26+Pch68zmjw>): unknown user lev_info:Aug 9 16:19:15 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<k8/X26+Pch68zmjw> lev_info:Aug 9 16:19:24 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,<MjBy3K+Pfh68zmjw>): unknown user lev_info:Aug 9 16:19:26 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<MjBy3K+Pfh68zmjw> lev_info:Aug 9 16:19:27 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,<oRmo3K+Pfx68zmjw>): unknown user lev_info:Aug 9 16:19:29 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<oRmo3K+Pfx68zmjw> lev_info:Aug 9 16:19:47 mail03 dovecot: auth-worker(29664): pam(krinfo,188.206.104.240,<14Pb3a+Pih68zmjw>): unknown user lev_info:Aug 9 16:19:49 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<14Pb3a+Pih68zmjw> lev_info:Aug 9 16:19:51 mail03 dovecot: auth-worker(29664): pam(krinfo,188.206.104.240,<99cO3q+Pix68zmjw>): unknown user lev_info:Aug 9 16:19:53 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<99cO3q+Pix68zmjw> This is how failed attempts are logged by vsftpd fac_authpriv:Aug 9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth): Authentication failure; user=xxxxx fac_authpriv:Aug 9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxx rhost=xxxxx user=xxxxx fac_ftp:Aug 9 16:24:44 web01 vsftpd[7255]: [xxxxx] FAIL LOGIN: Client "x.x.x.x" lev_notice:Aug 9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth): Authentication failure; user=xxxxx lev_notice:Aug 9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=xxxxx rhost=xxxxx user=xxxxx lev_warn:Aug 9 16:24:44 web01 vsftpd[7255]: [xxxxx] FAIL LOGIN: Client "x.x.x.x" Using dovecot-2.2.36-3.el7.x86_64 on CentOS7
I am looking at replacing our creaky old courier-imap server, which takes authentication and user info from an LDAP database, with dovecot imap. Any comments on the wisdom of this choice of action, or anything I should know about the setting up before starting to work on it?
On 2019-08-09, Joseph Mays via dovecot <dovecot at dovecot.org> wrote:> I am looking at replacing our creaky old courier-imap server, which takes > authentication and user info from an LDAP database, with dovecot imap. Any > comments on the wisdom of this choice of action, or anything I should know > about the setting up before starting to work on it?Plenty of people have this type of setup, if you already know what you're doing with LDAP from the existing installation you shouldn't have any problem configuring it with Dovecot.
Timo Sirainen
2019-Aug-14 19:33 UTC
Should dovecot not be using different logging facility and severity levels?
On 9 Aug 2019, at 17.39, Marc Roos via dovecot <dovecot at dovecot.org> wrote:> > Should dovecot not be using different severity levels like auth.warn? On > my system everything goes to loglevel info:My thinking has been: * Panic: There's a bug that needs fixing * Fatal: Somewhat stronger error * Error: Something's broken or misconfigured - admin should fix something * Warning: Something seems to be at least temporarily broken, like maybe some limit was reached because the system was overloaded. Admin may need to do something or possibly just wait. Either way, these should be looked into. * Info: Events that admin doesn't necessarily need to look at, except while debugging or for gathering stats or something * Debug: Only when really debugging> lev_info:Aug 9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth > failed, 1 attempts in 2 secs): user=<xxxxx>, method=PLAIN, rip=x.x.x.x, > lip=x.x.x.x, TLS, session=<UBXJ2K+PYh68zmjw> > lev_info:Aug 9 16:18:29 mail03 dovecot: auth-worker(28656): > pam(krinfo,188.206.104.240,<LOLx2K+PYx68zmjw>): unknown userThese are regular events that happen all the time due to brute force attacks and such. I don't know why you'd want to see them as warnings? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190814/e53074e6/attachment.html>