As band-aid you could try looking at the SASL message, if you decode64
it might contain the username in plain text.
Aki
On 23.05.2017 17:44, Bradley Giesbrecht wrote:
> The problem we are facing is incorrect authentications being caught by
> firewall rules and IP’s getting blocked. We would like to be able to identify
> the problem account to help the domain admin track down the issue.
>
> Does anyone have another idea? We use sql user db so I thought of logging all
> login attempts to a table with timestamps and lookup the failed logins by
> timestamp.
>
>
> Regards,
> Bradley Giesbrecht (pixilla)
>
>
>> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>>
>> The problem is that the SASL message contains NTLM(v2) message, so it
>> would need to be decoded. We can see if there is something we can do
>> about this. At the moment it's not possible to log this.
>>
>> Aki
>>
>>
>> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>>> dovecot 2.2.22
>>> postfix 3.1.1
>>>
>>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>>>
>>> Is there a way to log the SASL username?
>>>
>>> I think postfix is logging what Dovecot SASL is returning so I hope I am
>>> asking on the right list.
>>>
>>>
>>> Regards,
>>> Bradley Giesbrecht (pixilla)
