On Mon, 22 Apr 2019 at 16:30, Bill Cole < [email protected]> wrote:
> On 22 Apr 2019, at 10:21, Gary Smithe wrote: > > > It's obvious the user is failing authentication, and from what I've > > read the word: UGFzc3dvcmQ6 is literally "Password:" My question > > is, does that mean postfix is literally receiving that word, or is it > > obfuscating the real password that was attempted? > > As Wietse says, Postfix is just passing back the error message from the > SASL library. > > As a direct answer: testing indicates that this what Postfix reports > when using the Dovecot SASL library and any bad username and password > combination is used. For example, the test below uses a non-existent > user, yet the response is with the encoded "Password" string that is > used as a prompt in the "login" SASL mechanism: > > # openssl s_client -connect localhost:465 > [...] > 220 toaster.scconsult.com ESMTP Postfix > ehlo localhost.localdomain > 250-toaster.scconsult.com > 250-PIPELINING > 250-SIZE 40960000 > 250-ETRN > 250-AUTH PLAIN LOGIN > 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR > DESTPORT > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250-DSN > 250-SMTPUTF8 > 250 CHUNKING > auth login > 334 VXNlcm5hbWU6 > YmlsbEBzY2NvbnN1bHQuY29t > 334 UGFzc3dvcmQ6 > cmVhbGx5YmFkcGFzc3dvcmQ= > 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 > quit > 221 2.0.0 Bye > > # grep '^Apr 22 11:10.*authentication failed' mail.log > Apr 22 11:10:12 bigsky postfix/smtps/smtpd[95883]: warning: > localhost[127.0.0.1]: SASL login authentication failed: UGFzc3dvcmQ6 > With dovecot, adding these lines to configuration should enable logging in the clear of failed passwords: auth_verbose = yes auth_verbose_passwords = plain
