- marked as enhancement
dovecot login failure not detected on macOS 10.12
Issue #44
resolved
On macOS 10.12 with unified logging Dovecot login failures are not detected. The problem stems from the presence of the "(libdovecot.0.dylib)" string. Sample log lines:
2016-10-15 14:12:29.250063+0100 localhost log[64346]: (libdovecot.0.dylib) imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<smwardle>, method=PLAIN, rip=94.197.121.171, lip=192.168.1.4, TLS: Disconnected, session=<YDMtGOc+p6lexXmr>
2016-10-15 19:38:17.198453+0100 localhost log[64346]: (libdovecot.0.dylib) imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<smwardle>, method=PLAIN, rip=92.40.249.129, lip=192.168.1.4, TLS: Disconnected, session=<HS9Wpes+vJFcKPmB>
Also "Disconnected" appears instead of "Aborted login" if a user verification is attempted and fails.
Comments (10)
-
reporter
-
reporter
- edited description
-
reporter
- edited description
-
reporter
- edited description
-
reporter
fixed in attack_scanner.l
< (imap|pop3)"-login: Aborted login (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
> ("(libdovecot."[0-9]+".dylib) ")?(imap|pop3)"-login: "("Aborted login"|Disconnected)" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
-
- changed status to open
Could you re-attach the patch as a
git format-patchor a unified diff? Thanks! -
reporter
- attached dovecot_dylib.patch
I'll try - new to git.
-
Seems like you forgot to follow up on this one, @Partmedia.
-
-
assigned issue to
Kevin Zheng
-
assigned issue to
-
- changed status to resolved
Sorry for the delay. Committed in f296cf5, thanks!
- Log in to comment
