In fact, looking again, dovecot should log the failure with username, if
available.
Aki
On 24.05.2017 09:22, Aki Tuomi wrote:
> As band-aid you could try looking at the SASL message, if you decode64
> it might contain the username in plain text.
>
> Aki
>
>
> On 23.05.2017 17:44, Bradley Giesbrecht wrote:
>> The problem we are facing is incorrect authentications being caught by
>> firewall rules and IP’s getting blocked. We would like to be able to
>> identify the problem account to help the domain admin track down the issue.
>>
>> Does anyone have another idea? We use sql user db so I thought of logging
>> all login attempts to a table with timestamps and lookup the failed logins
>> by timestamp.
>>
>>
>> Regards,
>> Bradley Giesbrecht (pixilla)
>>
>>
>>> On May 22, 2017, at 10:54 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>>>
>>> The problem is that the SASL message contains NTLM(v2) message, so it
>>> would need to be decoded. We can see if there is something we can do
>>> about this. At the moment it's not possible to log this.
>>>
>>> Aki
>>>
>>>
>>> On 23.05.2017 03:23, Bradley Giesbrecht wrote:
>>>> dovecot 2.2.22
>>>> postfix 3.1.1
>>>>
>>>> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>>>>
>>>> Is there a way to log the SASL username?
>>>>
>>>> I think postfix is logging what Dovecot SASL is returning so I hope I am
>>>> asking on the right list.
>>>>
>>>>
>>>> Regards,
>>>> Bradley Giesbrecht (pixilla)
