Hi Not sure whether this is the correct list to ask ... if it's not please direct me to the correct one. Is it possible on to log a bit more detail when auth failure occurs when using saslauthd? saslauthd[2119]: do_auth : auth failure: [user=DELETED] [service=smtp] [realm=DELETED] [mech=pam] [reason=PAM auth error] What I want is the IP address and if possible the incorrect password (just to see how far they are off). Is this possible? thanks Jobst -- If a pig loses its voice, is it disgruntled? | |0| | Jobst Schmalenbach | | |0| jobst at barrett.com.au |0|0|0| General Manager
On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote:> What I want is the IP address and if possible the incorrect password (just to see how far they are off). > Is this possible?I hope not. That's a terrible idea. Every time a user fat-fingers their password, your plain-text logs have a copy of their almost-correct password.
On 4/25/2017 7:00 PM, Jobst Schmalenbach wrote:> Is it possible on to log a bit more detail when auth failure occurs when using saslauthd? > > saslauthd[2119]: do_auth : auth failure: [user=DELETED] [service=smtp] [realm=DELETED] [mech=pam] [reason=PAM auth error] > > What I want is the IP address and if possible the incorrect password (just to see how far they are off). > Is this possible?what protocol are these users connecting with thats using saslauthd ? http or smtp or imap or what? I'm pretty sure that by the time you've gotten down to the SASL layer, saslauthd has no clue what iP address the client request originated from, so logging the IP of the failed request had best be done at a higher layer. -- john r pierce, recycling bits in santa cruz
On Tue, Apr 25, 2017 at 07:15:43PM -0700, John R Pierce (pierce at hogranch.com) wrote:> On 4/25/2017 7:00 PM, Jobst Schmalenbach wrote: > > snip > > client request originated from, so logging the IP of the failed request had > best be done at a higher layer.Good answer, makes sense. As for the higher layer used - can be either sendmail or imaps as both use the saslauth. Just need to find a way to "connect" the sasl request to the caller that issued the sasl request ... thx Jobst -- Student to Teacher: Sir, what's an oxymoron? .... Teacher to Student: Microsoft security. | |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
On Tue, Apr 25, 2017 at 07:14:56PM -0700, Gordon Messmer (gordon.messmer at gmail.com) wrote:> On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote: > > What I want is the IP address and if possible the incorrect password (just to see how far they are off). > > Is this possible? > > I hope not. That's a terrible idea. Every time a user fat-fingers their > password, your plain-text logs have a copy of their almost-correct password. >As always there are tradeoffs ... I have a reasonable strict password policy, so by looking at the failed passwords I can see how far the tries are off the real thing, so it actually is a good thing for me. Also I learn which passwords are used for cracking, which again is a good thing. As for the logged passwords - this is a non user server, only two people have access ... so reading the logs is difficult for imap/sendmail users in the company ... J -- Gravity does not exist, the Earth sucks. | |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia