dovecot - May 2017 - Postfix and Dovecot SASL: log NTLM username

dovecot 2.2.22
postfix 3.1.1

I?m seeing "SASL NTLM authentication failed: {long_hash}? in mail.log.

Is there a way to log the SASL username?

I think postfix is logging what Dovecot SASL is returning so I hope I am asking
on the right list.


Regards,
Bradley Giesbrecht (pixilla)

The problem is that the SASL message contains NTLM(v2) message, so it
would need to be decoded. We can see if there is something we can do
about this. At the moment it's not possible to log this.

Aki


On 23.05.2017 03:23, Bradley Giesbrecht wrote:
> dovecot 2.2.22
> postfix 3.1.1
>
> I?m seeing "SASL NTLM authentication failed: {long_hash}? in mail.log.
>
> Is there a way to log the SASL username?
>
> I think postfix is logging what Dovecot SASL is returning so I hope I am
asking on the right list.
>
>
> Regards,
> Bradley Giesbrecht (pixilla)

The problem we are facing is incorrect authentications being caught by firewall
rules and IP?s getting blocked. We would like to be able to identify the problem
account to help the domain admin track down the issue.

Does anyone have another idea? We use sql user db so I thought of logging all
login attempts to a table with timestamps and lookup the failed logins by
timestamp.


Regards,
Bradley Giesbrecht (pixilla)

> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tuomi at dovecot.fi>
wrote:
> 
> The problem is that the SASL message contains NTLM(v2) message, so it
> would need to be decoded. We can see if there is something we can do
> about this. At the moment it's not possible to log this.
> 
> Aki
> 
> 
> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>> dovecot 2.2.22
>> postfix 3.1.1
>> 
>> I?m seeing "SASL NTLM authentication failed: {long_hash}? in
mail.log.
>> 
>> Is there a way to log the SASL username?
>> 
>> I think postfix is logging what Dovecot SASL is returning so I hope I
am asking on the right list.
>> 
>> 
>> Regards,
>> Bradley Giesbrecht (pixilla)