Right now, Exim doesn't seem to have a way to force it to log absolutely
all successful SMTP authentication (especially not immediately, the moment
someone succeeds). An authenticated connection that sends email logs the
successful authentication in the A=<..> portion of the '<=' log line and
if you add '+smtp_no_mail' as a log selector, an authenticated connection
that doesn't even try to send mail will have this logged on disconnect.
But this leaves a logging gap for connections that authenticate, try to
send mail, get rejected during the SMTP transaction, and then disconnect.
(smtp_no_mail also covers too much if all you care about is people who
authenticate and then disconnect. There's any number of people probing
your SMTP port in general these days.)
I'd suggest adding a new logging selector, say 'smtp_authenticated',
that triggers to write a log line when the SMTP authentication process
succeeds. This both covers all cases and logs immediately, which I
personally view as important for auditing.
An alternate approach would be a new general option in SMTP
authenticators to set a message that gets logged when they succeed.
I suspect that this is less clean (and more work) than just a new
logging selector.
- cks
