The problem we are facing is incorrect authentications being caught by firewall rules and IP?s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue. Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp. Regards, Bradley Giesbrecht (pixilla)> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > The problem is that the SASL message contains NTLM(v2) message, so it > would need to be decoded. We can see if there is something we can do > about this. At the moment it's not possible to log this. > > Aki > > > On 23.05.2017 03:23, Bradley Giesbrecht wrote: >> dovecot 2.2.22 >> postfix 3.1.1 >> >> I?m seeing "SASL NTLM authentication failed: {long_hash}? in mail.log. >> >> Is there a way to log the SASL username? >> >> I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list. >> >> >> Regards, >> Bradley Giesbrecht (pixilla)
As band-aid you could try looking at the SASL message, if you decode64 it might contain the username in plain text. Aki On 23.05.2017 17:44, Bradley Giesbrecht wrote:> The problem we are facing is incorrect authentications being caught by firewall rules and IP?s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue. > > Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp. > > > Regards, > Bradley Giesbrecht (pixilla) > > >> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: >> >> The problem is that the SASL message contains NTLM(v2) message, so it >> would need to be decoded. We can see if there is something we can do >> about this. At the moment it's not possible to log this. >> >> Aki >> >> >> On 23.05.2017 03:23, Bradley Giesbrecht wrote: >>> dovecot 2.2.22 >>> postfix 3.1.1 >>> >>> I?m seeing "SASL NTLM authentication failed: {long_hash}? in mail.log. >>> >>> Is there a way to log the SASL username? >>> >>> I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list. >>> >>> >>> Regards, >>> Bradley Giesbrecht (pixilla)
In fact, looking again, dovecot should log the failure with username, if available. Aki On 24.05.2017 09:22, Aki Tuomi wrote:> As band-aid you could try looking at the SASL message, if you decode64 > it might contain the username in plain text. > > Aki > > > On 23.05.2017 17:44, Bradley Giesbrecht wrote: >> The problem we are facing is incorrect authentications being caught by firewall rules and IP?s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue. >> >> Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp. >> >> >> Regards, >> Bradley Giesbrecht (pixilla) >> >> >>> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: >>> >>> The problem is that the SASL message contains NTLM(v2) message, so it >>> would need to be decoded. We can see if there is something we can do >>> about this. At the moment it's not possible to log this. >>> >>> Aki >>> >>> >>> On 23.05.2017 03:23, Bradley Giesbrecht wrote: >>>> dovecot 2.2.22 >>>> postfix 3.1.1 >>>> >>>> I?m seeing "SASL NTLM authentication failed: {long_hash}? in mail.log. >>>> >>>> Is there a way to log the SASL username? >>>> >>>> I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list. >>>> >>>> >>>> Regards, >>>> Bradley Giesbrecht (pixilla)