I've had an attempt at cracking my mail server. Any idea why I'm not seeing an IP on these messages?

dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=abc123 rhost=

People try to crack my email about once every minute or so. It's annoying, and adds to the log file length. What to worry about is if someone actually succeeds at it. No crack, no worries. I'm looking at a ruby on rails replacement for squirrelmail that will alert a user to the last login time and ip address, so these things can be avoided. Using the linux way, no notices for failed crack attempts.

Had the exact same problem, and it was driving me crazy. I even went as far as to add iptables and ip6tables rules to log every packet destined for POP/s, IMAP/s, for both IPv4 and IPv6.

Research on Dovecot mailing list & documentation was no help. Research via the Dovecot IRC channel was also not any help.

After I saw another wave of crack attempts with ZERO iptables loggings, it occurred to me what was going on -- these weren't POP/IMAP crack attempts, the cracker was coming via SMTP-Auth attempts! Postfix + Dovecot + SASLauthd w/ TLS encryption, Postfix relying upon Dovecot/SASLauthd for the passthrough authentication.

Some quick research revealed that some of Dovecot's very poorly named variables were causing the SMTP-Auth attempts to not get logged AT ALL.

Enable these two "debugging" variables, and you should see the auth attempts with the missing source IPs logged properly. Depending on your environment, you will see it logged with your Postfix logs, your sasl/authentication logs, or your Dovecot logs. That all depends on how you have syslog configured.

auth_verbose = yes
verbose_ssl = yes

The one I was missing was 'verbose_ssl'. Once I enabled this and restarted Dovecot, SMTP-Authentications -- success and failures, WITH source IP, were now being logged properly.

Depending on the version of Dovecot & setup, you may have to correlate logs from more than one location to determine the source IP & attempted username.

Hope this helps!

I added the Dovecot support to OSSEC. The active response feature will stop these after just a few attempts.