From owner-freebsd-questions@FreeBSD.ORG  Tue Jun  4 15:59:57 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id B19B9289
 for <freebsd-questions@freebsd.org>; Tue,  4 Jun 2013 15:59:57 +0000 (UTC)
 (envelope-from tundra@tundraware.com)
Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73])
 by mx1.freebsd.org (Postfix) with ESMTP id 7FD6D1AAB
 for <freebsd-questions@freebsd.org>; Tue,  4 Jun 2013 15:59:57 +0000 (UTC)
Received: from [10.219.130.119] ([66.175.245.1]) (authenticated bits=0)
 by ozzie.tundraware.com (8.14.7/8.14.7) with ESMTP id r54FlB5k072869
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Tue, 4 Jun 2013 10:47:14 -0500 (CDT)
 (envelope-from tundra@tundraware.com)
Message-ID: <51AE0C04.2050507@tundraware.com>
Date: Tue, 04 Jun 2013 10:47:16 -0500
From: Tim Daneliuk <tundra@tundraware.com>
Organization: TundraWare Inc.
User-Agent: Mozilla/5.0 (X11; Linux i686;
 rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject: Can sasl/sendmail Report IP Of Failed Access?
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (ozzie.tundraware.com [75.145.138.73]); Tue, 04 Jun 2013 10:47:15 -0500 (CDT)
X-TundraWare-MailScanner-Information: Please contact the ISP for more
 information
X-TundraWare-MailScanner-ID: r54FlB5k072869
X-TundraWare-MailScanner: Found to be clean
X-TundraWare-MailScanner-From: tundra@tundraware.com
X-Spam-Status: No
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: tundra@tundraware.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 15:59:57 -0000

I am seeing login dictionary attacks on a FreeBSD mail server being
reported.  Is there a way to determine the IPs that are doing this
so they can be blocked at the firewall?   auth.log only
notes the attempted user name, not the IP of origin.
-- 
-----------------------------------------------------------------------
Tim Daneliuk