Custom regex for Postfix on Ubuntu (SMTP auth failures)
Posted: 14 May 2024, 05:34
I'm having difficulty with getting SMTP auth failures detected by LFD. I believe this is partially due to Postfix on Ubuntu not reporting the "rhost" in the /var/log/auth.log file. Here's an example:
May 14 14:05:27 myserver saslauthd[610]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=someone@somewhere.com
The other way this can be obtained, is via /var/log/mail.log which does report an IP address:
May 14 14:05:29 myserver postfix/smtpd[9006]: warning: remote.fqdn[123.123.123.123]: SASL LOGIN authentication failed: authentication failure
The regex for this seems a bit more complicated. I am struggling and would appreciate some assistance from you fine people to construct a custom regex that retrieves the IP address as list in the above log example.
May 14 14:05:27 myserver saslauthd[610]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=someone@somewhere.com
The other way this can be obtained, is via /var/log/mail.log which does report an IP address:
May 14 14:05:29 myserver postfix/smtpd[9006]: warning: remote.fqdn[123.123.123.123]: SASL LOGIN authentication failed: authentication failure
The regex for this seems a bit more complicated. I am struggling and would appreciate some assistance from you fine people to construct a custom regex that retrieves the IP address as list in the above log example.