Bogdan Enache: > Hi. > When an user inputs an incorrect password, I have the following message > in the logs: > mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN > authentication failed: UGFzc3dvcmQ6 > Which is perfectly normal.
'UGFzc3dvcmQ6' decodes into 'Password:'. That's part of the SASL LOGIN protocol. There are a dozen different protocols, and those protocols are implemented by the Cyrus SASL library or Dovecot authentication server. Postfix normally retrieves the username from the Cyrus SASL library AFTER successful authentication. The libsasl "documentation" does not promise that such information is available after login failure. > But how can I also show the username that was tried in the logs? I want > to see: > 1. Which user keeps entering the wrong password. > 2. What user is someone else trying to hijack. This requires adding code that looks up the username after authentication failure, and finding out whether that information is available at all. Another approach would be to rate-limit AUTH commands (by duplicating the code for rate-limiting the STARTTLS command). That would stop a dictionary attack from one bad client, but not from a botnet. Or, one could run a network sniffer and rip the information from the TCP packets. Wietse