The message in my log is logged by postfix/smtpd which is using dovecot for
sasl.
Should dovecot sasl be passing the username back to postfix?
Brad
> On May 23, 2017, at 11:33 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>
> In fact, looking again, dovecot should log the failure with username, if
> available.
>
> Aki
>
> On 24.05.2017 09:22, Aki Tuomi wrote:
>> As band-aid you could try looking at the SASL message, if you decode64
>> it might contain the username in plain text.
>>
>> Aki
>>
>>
>> On 23.05.2017 17:44, Bradley Giesbrecht wrote:
>>> The problem we are facing is incorrect authentications being caught by
>>> firewall rules and IP’s getting blocked. We would like to be able to
>>> identify the problem account to help the domain admin track down the issue.
>>>
>>> Does anyone have another idea? We use sql user db so I thought of logging
>>> all login attempts to a table with timestamps and lookup the failed logins
>>> by timestamp.
>>>
>>>
>>> Regards,
>>> Bradley Giesbrecht (pixilla)
>>>
>>>
>>>> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>>>>
>>>> The problem is that the SASL message contains NTLM(v2) message, so it
>>>> would need to be decoded. We can see if there is something we can do
>>>> about this. At the moment it's not possible to log this.
>>>>
>>>> Aki
>>>>
>>>>
>>>> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>>>>> dovecot 2.2.22
>>>>> postfix 3.1.1
>>>>>
>>>>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>>>>>
>>>>> Is there a way to log the SASL username?
>>>>>
>>>>> I think postfix is logging what Dovecot SASL is returning so I hope I am
>>>>> asking on the right list.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Bradley Giesbrecht (pixilla)
