As band-aid you could try looking at the SASL message, if you decode64 it might contain the username in plain text.
Aki
On 23.05.2017 17:44, Bradley Giesbrecht wrote:
The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue.
Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp.
Regards, Bradley Giesbrecht (pixilla)
On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
The problem is that the SASL message contains NTLM(v2) message, so it would need to be decoded. We can see if there is something we can do about this. At the moment it's not possible to log this.
Aki
On 23.05.2017 03:23, Bradley Giesbrecht wrote:
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)