Asai wrote:
> Greetings,
>
> In the server log files I got back this morning, I see in the records
> this entry:
>
> 1 Unknown
> 1 Unknown
> 1 218.30.101.41 unknown
>
>
> Normally this will give me an email address on top, the AUTH type next,
> and the IP at the bottom with the reverse DNS there. I checked the IP
> address and it's in China, so it's definitely not one of our users. Can
> anyone tell me how to interpret this, and to plug any holes which might
> be allowing this?
>
This looks like partial postfix-logwatch output. Show the log line in
question, and the Section header from where this output came.
[ edit: I see you've already shared log lines ]
I believe this is the SaslAuthRelay section. The first level is the
SASL sender (and user if available). The second level is the SASL
method (or Unknown if not available). The third level is the host IP
and the Postfix reported host name (in this case, it was unknown).
But, your entry discovered a bug in the parsing of the sasl_sender=
portion of smtpd's client= log line. The output should look like:
1 SASL authenticated relayed messages ------------------
1 [EMAIL PROTECTED] (*unknown)
1 *unknown
1 218.30.101.41 unknown
I've corrected the bug in 1.37.08:
http://www.mikecappella.com/logwatch/
MrC
