subject:"Postfix and Dovecot SASL\: log NTLM username"

Re: Postfix and Dovecot SASL: log NTLM username

2017-05-24 Thread Bradley Giesbrecht

The message in my log is logged by postfix/smtpd which is using dovecot for 
sasl.

Should dovecot sasl be passing the username back to postfix?

Brad

> On May 23, 2017, at 11:33 PM, Aki Tuomi  wrote:
> 
> In fact, looking again, dovecot should log the failure with username, if
> available.
> 
> Aki
> 
> On 24.05.2017 09:22, Aki Tuomi wrote:
>> As band-aid you could try looking at the SASL message, if you decode64
>> it might contain the username in plain text.
>> 
>> Aki
>> 
>> 
>> On 23.05.2017 17:44, Bradley Giesbrecht wrote:
>>> The problem we are facing is incorrect authentications being caught by 
>>> firewall rules and IP’s getting blocked. We would like to be able to 
>>> identify the problem account to help the domain admin track down the issue.
>>> 
>>> Does anyone have another idea? We use sql user db so I thought of logging 
>>> all login attempts to a table with timestamps and lookup the failed logins 
>>> by timestamp.
>>> 
>>> 
>>> Regards,
>>> Bradley Giesbrecht (pixilla)
>>> 
>>> 
 On May 22, 2017, at 10:54 PM, Aki Tuomi  wrote:
 
 The problem is that the SASL message contains NTLM(v2) message, so it
 would need to be decoded. We can see if there is something we can do
 about this. At the moment it's not possible to log this.
 
 Aki
 
 
 On 23.05.2017 03:23, Bradley Giesbrecht wrote:
> dovecot 2.2.22
> postfix 3.1.1
> 
> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
> 
> Is there a way to log the SASL username?
> 
> I think postfix is logging what Dovecot SASL is returning so I hope I am 
> asking on the right list.
> 
> 
> Regards,
> Bradley Giesbrecht (pixilla)

Re: Postfix and Dovecot SASL: log NTLM username

2017-05-24 Thread Aki Tuomi

In fact, looking again, dovecot should log the failure with username, if
available.

Aki

On 24.05.2017 09:22, Aki Tuomi wrote:
> As band-aid you could try looking at the SASL message, if you decode64
> it might contain the username in plain text.
>
> Aki
>
>
> On 23.05.2017 17:44, Bradley Giesbrecht wrote:
>> The problem we are facing is incorrect authentications being caught by 
>> firewall rules and IP’s getting blocked. We would like to be able to 
>> identify the problem account to help the domain admin track down the issue.
>>
>> Does anyone have another idea? We use sql user db so I thought of logging 
>> all login attempts to a table with timestamps and lookup the failed logins 
>> by timestamp.
>>
>>
>> Regards,
>> Bradley Giesbrecht (pixilla)
>>
>>
>>> On May 22, 2017, at 10:54 PM, Aki Tuomi  wrote:
>>>
>>> The problem is that the SASL message contains NTLM(v2) message, so it
>>> would need to be decoded. We can see if there is something we can do
>>> about this. At the moment it's not possible to log this.
>>>
>>> Aki
>>>
>>>
>>> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
 dovecot 2.2.22
 postfix 3.1.1

 I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.

 Is there a way to log the SASL username?

 I think postfix is logging what Dovecot SASL is returning so I hope I am 
 asking on the right list.


 Regards,
 Bradley Giesbrecht (pixilla)

Re: Postfix and Dovecot SASL: log NTLM username

2017-05-24 Thread Aki Tuomi

As band-aid you could try looking at the SASL message, if you decode64
it might contain the username in plain text.

Aki


On 23.05.2017 17:44, Bradley Giesbrecht wrote:
> The problem we are facing is incorrect authentications being caught by 
> firewall rules and IP’s getting blocked. We would like to be able to identify 
> the problem account to help the domain admin track down the issue.
>
> Does anyone have another idea? We use sql user db so I thought of logging all 
> login attempts to a table with timestamps and lookup the failed logins by 
> timestamp.
>
>
> Regards,
> Bradley Giesbrecht (pixilla)
>
>
>> On May 22, 2017, at 10:54 PM, Aki Tuomi  wrote:
>>
>> The problem is that the SASL message contains NTLM(v2) message, so it
>> would need to be decoded. We can see if there is something we can do
>> about this. At the moment it's not possible to log this.
>>
>> Aki
>>
>>
>> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>>> dovecot 2.2.22
>>> postfix 3.1.1
>>>
>>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>>>
>>> Is there a way to log the SASL username?
>>>
>>> I think postfix is logging what Dovecot SASL is returning so I hope I am 
>>> asking on the right list.
>>>
>>>
>>> Regards,
>>> Bradley Giesbrecht (pixilla)

Re: Postfix and Dovecot SASL: log NTLM username

2017-05-23 Thread Bradley Giesbrecht

The problem we are facing is incorrect authentications being caught by firewall 
rules and IP’s getting blocked. We would like to be able to identify the 
problem account to help the domain admin track down the issue.

Does anyone have another idea? We use sql user db so I thought of logging all 
login attempts to a table with timestamps and lookup the failed logins by 
timestamp.

Regards,
Bradley Giesbrecht (pixilla)

> On May 22, 2017, at 10:54 PM, Aki Tuomi  wrote:
> 
> The problem is that the SASL message contains NTLM(v2) message, so it
> would need to be decoded. We can see if there is something we can do
> about this. At the moment it's not possible to log this.
> 
> Aki
> 
> 
> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>> dovecot 2.2.22
>> postfix 3.1.1
>> 
>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>> 
>> Is there a way to log the SASL username?
>> 
>> I think postfix is logging what Dovecot SASL is returning so I hope I am 
>> asking on the right list.
>> 
>> 
>> Regards,
>> Bradley Giesbrecht (pixilla)

Re: Postfix and Dovecot SASL: log NTLM username

2017-05-22 Thread Aki Tuomi

The problem is that the SASL message contains NTLM(v2) message, so it
would need to be decoded. We can see if there is something we can do
about this. At the moment it's not possible to log this.

Aki

On 23.05.2017 03:23, Bradley Giesbrecht wrote:
> dovecot 2.2.22
> postfix 3.1.1
>
> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>
> Is there a way to log the SASL username?
>
> I think postfix is logging what Dovecot SASL is returning so I hope I am 
> asking on the right list.
>
>
> Regards,
> Bradley Giesbrecht (pixilla)

Postfix and Dovecot SASL: log NTLM username

2017-05-22 Thread Bradley Giesbrecht

dovecot 2.2.22
postfix 3.1.1

I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.

Is there a way to log the SASL username?

I think postfix is logging what Dovecot SASL is returning so I hope I am asking 
on the right list.


Regards,
Bradley Giesbrecht (pixilla)

Re: Postfix and Dovecot SASL: log NTLM username

Re: Postfix and Dovecot SASL: log NTLM username

Re: Postfix and Dovecot SASL: log NTLM username

Re: Postfix and Dovecot SASL: log NTLM username

Re: Postfix and Dovecot SASL: log NTLM username

Postfix and Dovecot SASL: log NTLM username

6 matches

Site Navigation

Mail list logo

Footer information