Hi. When an user inputs an incorrect password, I have the following message in the logs: mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Which is perfectly normal.
But how can I also show the username that was tried in the logs? I want to see: 1. Which user keeps entering the wrong password. 2. What user is someone else trying to hijack. I need this because a user of mine was hijacked a few days ago. I have fail2ban installed and working (banning IPs for 1 hour after 10 incorrect passwords), but looking through the logs in the last month I realized this might have been a distributed attack actually. Running postfix 2.5.9. Thanks!
