[2025-01-05 13:58] Kirill A. Korinsky <kir...@korins.ky> > On Sun, 05 Jan 2025 12:52:35 +0100, > Philipp <phil...@bureaucracy.de> wrote: > > > > > I'm wondering the best path forward here. Given the security relevance, it > > > seems like we should be able to see link-auth events for successful or > > > failed authentication attempts at all points; before and after STARTTLS, > > > and in cases whether `auth` is enabled on a listener or not. Is this a > > > case > > > where the smtpd-filters(7) event logging should be improved in OpenSMTPD, > > > or am I thinking about this wrong? > > > > As far as I see there are currently two[0] places where auth is rejected > > without a auth report. So the best way I see is to add an auth-rejected > > event. > > > > Just a question: shal such event to be triggered by failed AUTH request on > listener which doesn't support auth?
Yes, this was the idea. Here is a list of reasons auth is rejected: 1. The client hasn't send helo/ehlo yet 2. The client is already authenticated 3. Auth isn't advertised 3.1 Auth is not enabled on this listener 3.2 The connection is still in plaintext (before starttls) 4. A plain "AUTH" without parameter is send 5. The auth method is not supported In theory all this cases could be encoded in the event. A simpler approach would be to only differentiate between smtp_check_auth failed and method not implemented. Philipp > > -- > wbr, Kirill >
