Postfix and Dovecot SASL: log NTLM username

Bradley Giesbrecht pixilla at
Tue May 23 17:44:18 EEST 2017

The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue.

Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp.

Bradley Giesbrecht (pixilla)

> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tuomi at> wrote:
> The problem is that the SASL message contains NTLM(v2) message, so it
> would need to be decoded. We can see if there is something we can do
> about this. At the moment it's not possible to log this.
> Aki
> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>> dovecot 2.2.22
>> postfix 3.1.1
>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>> Is there a way to log the SASL username?
>> I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
>> Regards,
>> Bradley Giesbrecht (pixilla)

More information about the dovecot mailing list