[Dovecot] Authentication Error Message formats

[Albert E. Whale]

Timo Sirainen wrote:
> On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote:
>   
>> I have been using UW's IMAP server and I am converting to Dovecot for
>> Maildir support.
>>
>> When a user fails authentication, or a user does not exist, it appears
>> that the same message is used for these events.
>>
>> Is there a way to indicate that the user does not exist (Invalid user),
>> and authentication Failure (Failed Password)?
>>     
>
> To user: no. In logs: yes, with auth_verbose=yes.
>
>   
Timo, Thank you.  I already have auth_verbose=yes.

Here is what I am seeing:

Oct 29 09:43:31 192.168.50.5 dovecot: pop3-login: Aborted login (auth
failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51,
lip=66.207.133.234
Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default):
pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication
failure
Oct 29 09:43:36 192.168.50.5 dovecot: pop3-login: Aborted login (auth
failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51,
lip=66.207.133.234
Oct 29 09:43:38 192.168.50.5 dovecot: auth-worker(default):
pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication
failure
Oct 29 09:43:40 192.168.50.5 dovecot: pop3-login: Aborted login (auth
failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51,
lip=66.207.133.234

These attempts to authenticate Darrin will not complete, as this is not
a valid user.  The IP Address 217.168.145.51 was cycling through 1364
attempts.  I would like to identify this type of activity sooner, as
this is not a valid user.

-- 
Albert E. Whale, CHS CISA CISSP
Sr. Security, Network, Risk Assessment and Systems Consultant
------------------------------------------------------------------------
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email,
Internet and Security Consultants
SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com
<http://www.No-JunkMail.com> - *True Spam Elimination*.