On 25/02/2017 05:28, Noel Jones wrote:
On 2/24/2017 5:55 PM, James wrote:
Current versions of postfix will log that AUTH was attempted, but do
not log what the client sends. You can grep the logs for 'auth=0'
to see unsuccessful auth attempts.
postfix/smtpd[58629]: disconnect from unknown[192.168.0.33] ehlo=1
auth=0/1 commands=1/2
-- Noel Jones
I was hoping there might be some setting that would cause log
entries like:
postfix/smtpd[12345]: NOQUEUE: AUTH rejected from
client.example.com[0.1.2.3], sasl_method=PLAIN, sasl_username=spam_r_us
As long as the sasl_username was obviously hopeless then I wouldn't
worry... but if they started using something that I thought they
shouldn't know about then I'd start getting worried.
I'm pretty sure the sasl_username part of the log (and probably the
method too) is supplied by the sasl library, which is never called
when sasl isn't offered.
When sasl isn't offered but the client sends AUTH anyway, it should
be possible for postfix to log the (sanitized) AUTH command the
client sends, but it will be encoded. The encoding as recorded in
the log may be (I think likely) broken by the log sanitizer.
My impression is this won't be as useful as you hope. Or my analysis
could be flawed.
Maybe Wietse or others has something to add.
If you use dovecot for SASL authentication with settings log_path =
syslog, auth_verbose = yes, then you can see attempted logins and the
reason for failure easily enough:
# grep "dovecot: auth: " /var/log/mail.log
2017-02-17 13:17:03 vps344433 dovecot: auth:
passwd-file(test,211.110.17.172): unknown user (SHA1 of given password:
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3)
2017-02-17 13:17:14 vps344433 dovecot: auth:
passwd-file(test,211.110.17.172): unknown user (SHA1 of given password:
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)
2017-02-17 13:17:29 vps344433 dovecot: auth:
passwd-file(test,211.110.17.172): unknown user (SHA1 of given password:
7c4a8d09ca3762af61e59520943dc26494f8941b)
2017-02-17 13:19:27 vps344433 dovecot: auth: Warning: auth client 0
disconnected with 1 pending requests: Connection reset by peer
