The following lines were added (+) and removed (-):
ENTRIES FROM: secure (log)messages Dec 27 03:50:35 lvps83 saslauthd[6120]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Feb 6 22:21:24 mailserver01 saslauthd[1150]: do_auth : auth failure: [user=summer] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Dec 27 03:50:35 lvps83 saslauthd[6122]: do_auth : auth failure: [user=james] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Feb 6 22:21:24 mailserver01 saslauthd[1149]: do_auth : auth failure: [user=summer] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]The above lines are from saslauthd, there must be lines from postfix as well and they contain the IP address of the attacker.secure Feb 6 22:21:22 mailserver01 saslauthd[1150]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Feb 6 22:21:22 mailserver01 saslauthd[1150]: pam_succeed_if(smtp:auth): error retrieving information about user summer Feb 6 22:21:22 mailserver01 saslauthd[1149]: pam_unix(smtp:auth): check pass; user unknown Feb 6 22:21:22 mailserver01 saslauthd[1149]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Feb 6 22:21:22 mailserver01 saslauthd[1149]: pam_succeed_if(smtp:auth): error retrieving information about user summer maillog Feb 6 22:21:24 mailserver01 postfix/smtpd[16812]: warning: s15449723.onlinehome-server.com[74.208.17.177]: SASL LOGIN authentication failed: authentication failure Feb 6 22:21:24 mailserver01 postfix/smtpd[16814]: warning: s15449723.onlinehome-server.com[74.208.17.177]: SASL LOGIN authentication failed: authentication failure It is a shortcoming of postfix/dovecot/sasl that the IP address of the attacker is not stored in the messages log or the secure log. Also, the only way to match entries from either of those two logs against the maillog is by the timestamp. This is problematic on a server with a great deal of mail activity. It would be nice if the IP address was in the messages or secure log, or if there was a key value that could be used to match exactly with the correct entries in maillog.