Can't find the IP address of a Saslauthd login attempt

Question

I need help locating the origin IP from this error messages/ login attempts:

From the 'sasl auth daemon' via Logwatch:

pam_unix(smtp:auth): check pass; user unknown
pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
pam_succeed_if(smtp:auth): error retrieving information about user whatEver

From /var/log/messages:

Mar  8 04:38:51 mySuperServer saslauthd[17397]: do_auth         : auth failure: [user= whatEver] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

I know it's saslauthd related. They try to connect to the SMTP port to send email but they are rejected. I can't seem to find the IP address anywhere; I want to block it.

Look at the rest of the log entries. – Michael Hampton Mar 13 '19 at 17:14 — Michael Hampton, Mar 13 '19 at 17:14
i've checked but nothing there – Minner Mar 15 '19 at 13:48 — Minner, Mar 15 '19 at 13:48

score 0 · Answer 1 · answered May 07 '21 at 13:39

0

IP addresses for SASLAUTHD are logged in /var/log/mail.log

answered May 07 '21 at 13:39

Will10

1

Can't find the IP address of a Saslauthd login attempt

1 Answers1