The message in my log is logged by postfix/smtpd which is using dovecot for sasl.
Should dovecot sasl be passing the username back to postfix? Brad > On May 23, 2017, at 11:33 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > In fact, looking again, dovecot should log the failure with username, if > available. > > Aki > > On 24.05.2017 09:22, Aki Tuomi wrote: >> As band-aid you could try looking at the SASL message, if you decode64 >> it might contain the username in plain text. >> >> Aki >> >> >> On 23.05.2017 17:44, Bradley Giesbrecht wrote: >>> The problem we are facing is incorrect authentications being caught by >>> firewall rules and IP’s getting blocked. We would like to be able to >>> identify the problem account to help the domain admin track down the issue. >>> >>> Does anyone have another idea? We use sql user db so I thought of logging >>> all login attempts to a table with timestamps and lookup the failed logins >>> by timestamp. >>> >>> >>> Regards, >>> Bradley Giesbrecht (pixilla) >>> >>> >>>> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote: >>>> >>>> The problem is that the SASL message contains NTLM(v2) message, so it >>>> would need to be decoded. We can see if there is something we can do >>>> about this. At the moment it's not possible to log this. >>>> >>>> Aki >>>> >>>> >>>> On 23.05.2017 03:23, Bradley Giesbrecht wrote: >>>>> dovecot 2.2.22 >>>>> postfix 3.1.1 >>>>> >>>>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log. >>>>> >>>>> Is there a way to log the SASL username? >>>>> >>>>> I think postfix is logging what Dovecot SASL is returning so I hope I am >>>>> asking on the right list. >>>>> >>>>> >>>>> Regards, >>>>> Bradley Giesbrecht (pixilla)