Re: [Courier-imap] authdaemond log no rhost

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Gregor Horvath writes:

> Hello,
>
> I would like to configure a fail2ban rule for authdaemond authentication  
> failures.
> Unfortunately the rhost field in the auth.log is empty:
>
> Feb 21 08:35:29 host1 authdaemond: pam_unix(imap:auth): authentication  
> failure; logname= uid=0 euid=0 tty= ruser= rhost= user=user1
>
> How can I get the remote IP Address?
> I am using Debian stable stretch.

You need to check into your syslog settigs. imaplogin logs failed login  
attempts via syslog. Example from Fedora:

Feb 21 20:51:35 octopus imapd[15235]: LOGIN FAILED, user=x, ip=[::ffff:192.168.0.4]

These messages get send to syslog, tagging them with subsystem mail, log  
level info (mail.info).

Stock setting on Fedora, in /etc/rsyslog.conf:

mail.*                                                  -/var/log/maillog

And that's where everything gets dumped to (and rotated).