Re: Postfix and Dovecot SASL: log NTLM username
In fact, looking again, dovecot should log the failure with username, if available. Aki On 24.05.2017 09:22, Aki Tuomi wrote: > As band-aid you could try looking at the SASL message, if you decode64 > it might contain the username in plain text. > > Aki > > > On 23.05.2017 17:44, Bradley Giesbrecht wrote: >> The problem we are facing is incorrect authentications being caught by >> firewall rules and IP’s getting blocked. We would like to be able to >> identify the problem account to help the domain admin track down the issue. >> >> Does anyone have another idea? We use sql user db so I thought of logging >> all login attempts to a table with timestamps and lookup the failed logins >> by timestamp. >> >> >> Regards, >> Bradley Giesbrecht (pixilla) >> >> >>> On May 22, 2017, at 10:54 PM, Aki Tuomi wrote: >>> >>> The problem is that the SASL message contains NTLM(v2) message, so it >>> would need to be decoded. We can see if there is something we can do >>> about this. At the moment it's not possible to log this. >>> >>> Aki >>> >>> >>> On 23.05.2017 03:23, Bradley Giesbrecht wrote: dovecot 2.2.22 postfix 3.1.1 I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log. Is there a way to log the SASL username? I think postfix is logging what Dovecot SASL is returning so I hope I am asking on the right list. Regards, Bradley Giesbrecht (pixilla)
Re: Postfix and Dovecot SASL: log NTLM username
As band-aid you could try looking at the SASL message, if you decode64 it might contain the username in plain text. Aki On 23.05.2017 17:44, Bradley Giesbrecht wrote: > The problem we are facing is incorrect authentications being caught by > firewall rules and IP’s getting blocked. We would like to be able to identify > the problem account to help the domain admin track down the issue. > > Does anyone have another idea? We use sql user db so I thought of logging all > login attempts to a table with timestamps and lookup the failed logins by > timestamp. > > > Regards, > Bradley Giesbrecht (pixilla) > > >> On May 22, 2017, at 10:54 PM, Aki Tuomi wrote: >> >> The problem is that the SASL message contains NTLM(v2) message, so it >> would need to be decoded. We can see if there is something we can do >> about this. At the moment it's not possible to log this. >> >> Aki >> >> >> On 23.05.2017 03:23, Bradley Giesbrecht wrote: >>> dovecot 2.2.22 >>> postfix 3.1.1 >>> >>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log. >>> >>> Is there a way to log the SASL username? >>> >>> I think postfix is logging what Dovecot SASL is returning so I hope I am >>> asking on the right list. >>> >>> >>> Regards, >>> Bradley Giesbrecht (pixilla)
Re: Postfix and Dovecot SASL: log NTLM username
The problem we are facing is incorrect authentications being caught by firewall rules and IP’s getting blocked. We would like to be able to identify the problem account to help the domain admin track down the issue. Does anyone have another idea? We use sql user db so I thought of logging all login attempts to a table with timestamps and lookup the failed logins by timestamp. Regards, Bradley Giesbrecht (pixilla) > On May 22, 2017, at 10:54 PM, Aki Tuomi wrote: > > The problem is that the SASL message contains NTLM(v2) message, so it > would need to be decoded. We can see if there is something we can do > about this. At the moment it's not possible to log this. > > Aki > > > On 23.05.2017 03:23, Bradley Giesbrecht wrote: >> dovecot 2.2.22 >> postfix 3.1.1 >> >> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log. >> >> Is there a way to log the SASL username? >> >> I think postfix is logging what Dovecot SASL is returning so I hope I am >> asking on the right list. >> >> >> Regards, >> Bradley Giesbrecht (pixilla)
Re: Sender address when notifying original recipient
On 22 May 2017, at 10.07, Christoph Pleger wrote: > > Hello, > I am using sieve with notification of the original recipient in the case that an email has been identified to contain a virus. After upgrading dovecot from 2.2.21 to 2.2.29.1, I now detected that in these notifications, their sender address is now , instead of , like it was before. Is it possible to revert to the old format? >>> No idea so far? Though I forgot to write that I also updated >>> pigeonhole, the change in the format of the sender address must be >>> caused by the updates, for I changed nothing else on my server. >> That looks like a bug of some sort. What is your configuration (output >> from `dovecot -n`)? What exact Sieve script demonstrates this behavior? > > The output of 'dovecot -n' is attached. It's because you have auth_username_format = %Ln, which strips away the domain.
[imaptest] Explaining errors
Hi, I'm an Apache James committer and we are curious to use imaptest in order to validate our IMAP protocol implementation. I'm using the nightlybuild : imaptest-20170506 I follow the examples given in the /T/ /est IMAP server compliancy/ examples https://imapwiki.org/ImapTest/Examples. And I wanted to analyse the errors reported, here are some: Error: us...@james.org[11]: seq too high (16 > 15, state=APPEND): * 16 FETCH (BODY[HEADER.FIELDS (In-Reply-To From) ] "From: marc...@carpa.ciagri.usp.br") Error: us...@james.org[14]: seq too high (26 > 25, state=APPEND): * 26 FETCH (MODSEQ (6068) FLAGS (\Answered \Draft \Flagged)) Error: us...@james.org[14]: seq too high (20 > 16, state=APPEND): * 20 EXPUNGE Error: use...@james.org[18]: Keyword used without being in FLAGS: $Label1: * 1 FETCH (MODSEQ (8) FLAGS (\Answered \Deleted \Draft $Label1 $Label3)) Error: Checkpoint: Total RECENT count 6 larger than current message count 3 Warning: Disabling \Recent flag tracking Error: us...@james.org[5]: Owned flag changed: \Deleted: * 7 FETCH (FLAGS (\Answered \Deleted \Recent $Label2)) Error: us...@james.org[5]: STORE didn't return FETCH FLAGS for seq 18 (expunged=yes): 5.75 OK STORE completed. Error: us...@james.org[1]: SEARCH result missing seq 2 (uid 0): 1.13 OK SEARCH completed. Error: Keyword '$Label1' dropped, but it still had 1 references Do you have a link explaining what are those failures ? Is there a report by IMAP command giving us an idea about our compliancy ? Do you allow us to communicate about such tests, for example: - in news http://james.apache.org/#posts ? - in medium article ? We also would like to have James mentioned in the servers status page https://imapwiki.org/ImapTest/ServerStatus How may we help you for that ? Thanks in advance, -- Antoine Duprat Développeur LGS/OBM/R&D Committer/PMC Apache James -- GROUPE LINAGORA 74-80 rue Roque de Fillol 92800 Puteaux +33 (0)8 10 25 12 51 +33 (0)6 45 63 27 17 adup...@linagora.com -- La présente transmission contient des informations confidentielles appartenant à Linagora, exclusivement destinées au(x) destinataire(s) identifié(s) ci-dessus. Si vous n'en faites pas partie, toute reproduction, distribution ou divulgation de tout ou partie des informations de cette transmission, ou toute action effectuée sur la base de celles-ci vous sont formellement interdites. Si vous avez reçu cette transmission par erreur, nous vous remercions de nous en avertir et de la détruire de votre système d'information. The present transmission contains privileged and confidential information belonging to Linagora, exclusively intended for the recipient(s) thereabove identified. If you are not one of these aforementioned recipients, any reproduction, distribution, disclosure of said information in whole or in part, as well as any action undertaken on the basis of said information are strictly prohbited. If you received the present transmission by mistake, please inform us and destroy it from your messenging and information systems.