Bogdan Enache:
> Hi.
> When an user inputs an incorrect password, I have the following message
> in the logs:
> mx1 postfix/smtpd[1069]: warning: unknown[89.xx.xx.xx]: SASL LOGIN
> authentication failed: UGFzc3dvcmQ6
> Which is perfectly normal.
'UGFzc3dvcmQ6' decodes into 'Password:'. That's part of the
SASL LOGIN protocol. There are a dozen different protocols,
and those protocols are implemented by the Cyrus SASL library
or Dovecot authentication server.
Postfix normally retrieves the username from the Cyrus SASL library
AFTER successful authentication. The libsasl "documentation" does
not promise that such information is available after login failure.
> But how can I also show the username that was tried in the logs? I want
> to see:
> 1. Which user keeps entering the wrong password.
> 2. What user is someone else trying to hijack.
This requires adding code that looks up the username after
authentication failure, and finding out whether that information
is available at all.
Another approach would be to rate-limit AUTH commands (by duplicating
the code for rate-limiting the STARTTLS command). That would stop
a dictionary attack from one bad client, but not from a botnet.
Or, one could run a network sniffer and rip the information from the
TCP packets.
Wietse
