The following lines were added (+) and removed (-):
The offending attacker connects to dovecot and issues several attempts to send messages as a number of different users. Dovecot only logs the initial connection, that process ID is tagged along with the IP address of the attacker. Then PAM gets the requests for all of the different login names being thrown at it. PAM has to work with SASL to check if the logins are valid. Each time a process ID is generated that tags both PAM and SASL with the same ID, however, the IP address is not captured here. It is not PAM's job to communicate with the system to capture IP addressing, as this would create unnecessary overhead for PAM and negatively impact an otherwise quick process. The problem is, other than a relative timestamp, the PID, or tagged id to the log entry only match the PAM to SASL communication, and cannot be matched up against Dovecot. This is fine for a small mail server with few users. However, when other user authentication requests are coming though on the same timestamp, it can be difficult to match up the log entries generated by pam in the messages and secure log against the offending postfix log entry in maillog, the only place the actual attacker IP address can be gleaned.