dovecot login failure not detected on macOS 10.12

Create issue
Issue #44 resolved
Steve Wardle created an issue

On macOS 10.12 with unified logging Dovecot login failures are not detected. The problem stems from the presence of the "(libdovecot.0.dylib)" string. Sample log lines:

2016-10-15 14:12:29.250063+0100 localhost log[64346]: (libdovecot.0.dylib) imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<smwardle>, method=PLAIN, rip=94.197.121.171, lip=192.168.1.4, TLS: Disconnected, session=<YDMtGOc+p6lexXmr>

2016-10-15 19:38:17.198453+0100 localhost log[64346]: (libdovecot.0.dylib) imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<smwardle>, method=PLAIN, rip=92.40.249.129, lip=192.168.1.4, TLS: Disconnected, session=<HS9Wpes+vJFcKPmB>

Also "Disconnected" appears instead of "Aborted login" if a user verification is attempted and fails.

Comments (10)

  1. Steve Wardle reporter

    fixed in attack_scanner.l

    166c166

    < (imap|pop3)"-login: Aborted login (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }

    > ("(libdovecot."[0-9]+".dylib) ")?(imap|pop3)"-login: "("Aborted login"|Disconnected)" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }

  2. Log in to comment