Postfix and Dovecot SASL: log NTLM username
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)
The problem is that the SASL message contains NTLM(v2) message, so it would need to be decoded. We can see if there is something we can do about this. At the moment it's not possible to log this.
Aki
On 23.05.2017 03:23, Bradley Giesbrecht wrote:
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)
The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue.
Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp.
Regards, Bradley Giesbrecht (pixilla)
On May 22, 2017, at 10:54 PM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
The problem is that the SASL message contains NTLM(v2) message, so it would need to be decoded. We can see if there is something we can do about this. At the moment it's not possible to log this.
Aki
On 23.05.2017 03:23, Bradley Giesbrecht wrote:
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)
As band-aid you could try looking at the SASL message, if you decode64 it might contain the username in plain text.
Aki
On 23.05.2017 17:44, Bradley Giesbrecht wrote:
The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue.
Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp.
Regards, Bradley Giesbrecht (pixilla)
On May 22, 2017, at 10:54 PM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
The problem is that the SASL message contains NTLM(v2) message, so it would need to be decoded. We can see if there is something we can do about this. At the moment it's not possible to log this.
Aki
On 23.05.2017 03:23, Bradley Giesbrecht wrote:
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)
In fact, looking again, dovecot should log the failure with username, if available.
Aki
On 24.05.2017 09:22, Aki Tuomi wrote:
As band-aid you could try looking at the SASL message, if you decode64 it might contain the username in plain text.
Aki
On 23.05.2017 17:44, Bradley Giesbrecht wrote:
The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue.
Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp.
Regards, Bradley Giesbrecht (pixilla)
On May 22, 2017, at 10:54 PM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
The problem is that the SASL message contains NTLM(v2) message, so it would need to be decoded. We can see if there is something we can do about this. At the moment it's not possible to log this.
Aki
On 23.05.2017 03:23, Bradley Giesbrecht wrote:
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)
The message in my log is logged by postfix/smtpd which is using dovecot for sasl.
Should dovecot sasl be passing the username back to postfix?
Brad
On May 23, 2017, at 11:33 PM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
In fact, looking again, dovecot should log the failure with username, if available.
Aki
On 24.05.2017 09:22, Aki Tuomi wrote:
As band-aid you could try looking at the SASL message, if you decode64 it might contain the username in plain text.
Aki
On 23.05.2017 17:44, Bradley Giesbrecht wrote:
The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue.
Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp.
Regards, Bradley Giesbrecht (pixilla)
On May 22, 2017, at 10:54 PM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
The problem is that the SASL message contains NTLM(v2) message, so it would need to be decoded. We can see if there is something we can do about this. At the moment it's not possible to log this.
Aki
On 23.05.2017 03:23, Bradley Giesbrecht wrote:
dovecot 2.2.22 postfix 3.1.1
I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
Is there a way to log the SASL username?
I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list.
Regards, Bradley Giesbrecht (pixilla)
participants (2)
-
Aki Tuomi
-
Bradley Giesbrecht