Hi Wietse,
On Fri, 6 Oct 2023, Wietse Venema via Postfix-users wrote:
> Jozsef Kadlecsik via Postfix-users:
> > Hi,
> >
> > Is there a way to get the SASL username logged for the failed
> > authentications together with the client IP data? Postfix can log half of
> > the information the connecting client IP address, while Cyrus saslauthd
> > the second one the username. However there's no clear way (except the
> > timestamp) to correlate the two together. How could one achieve to log
> > both together?
>
> You may be able to turn on logging in the SASL backend (Cyrus,
> Dovecot).
Unfortunately that does not help.
> Postfix DOES NOT implement the SASL protocol, therefore DOES NOT
> know what is in the SASL protocol messages.
If I increase the log_level to 4 in the sasl config for smtpd and add -v
to smtpd in master.cf, then the username is reported in the log:
postfix/smtpd[44062]: xsasl_cyrus_server_first: sasl_method LOGIN
postfix/smtpd[44062]: xsasl_cyrus_server_auth_response: uncoded server
challenge: Username:
postfix/smtpd[44062]: > client[IP]: 334 VXNlcm5hbWU6
postfix/smtpd[44062]: < client[IP]: a2FkbGVjQGJsYWNraG9sZS5rZmtpLmh1
postfix/smtpd[44062]: xsasl_cyrus_server_next: decoded response:
kad...@blackhole.kfki.hu
However it's a debug mode, cannot be used in production. It is clear that
SASL protocol is not implemented and thus the messages have no meaning,
just reported. However, it seems the data is there and available.
Would you consider applying a patch something like this:
diff --git a/src/smtpd/smtpd_sasl_glue.c b/src/smtpd/smtpd_sasl_glue.c
index 020c830..a22ae9f 100644
--- a/src/smtpd/smtpd_sasl_glue.c
+++ b/src/smtpd/smtpd_sasl_glue.c
@@ -320,10 +320,16 @@ int smtpd_sasl_authenticate(SMTPD_STATE *state,
return (-1);
}
}
+ sasl_username = xsasl_server_get_username(state->sasl_server);
if (status != XSASL_AUTH_DONE) {
- msg_warn("%s: SASL %s authentication failed: %s",
- state->namaddr, sasl_method,
- STR(state->sasl_reply));
+ if (sasl_username == 0)
+ msg_warn("%s: SASL %s authentication failed: %s",
+ state->namaddr, sasl_method,
+ STR(state->sasl_reply));
+ else
+ msg_warn("%s: SASL %s authentication failed: %s, sasl_username=%s",
+ state->namaddr, sasl_method,
+ STR(state->sasl_reply), sasl_username);
/* RFC 4954 Section 6. */
if (status == XSASL_AUTH_TEMP)
smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
failure: %s",
@@ -335,7 +341,7 @@ int smtpd_sasl_authenticate(SMTPD_STATE *state,
}
/* RFC 4954 Section 6. */
smtpd_chat_reply(state, "235 2.7.0 Authentication successful");
- if ((sasl_username = xsasl_server_get_username(state->sasl_server)) == 0)
+ if (sasl_username == 0)
msg_panic("cannot look up the authenticated SASL username");
state->sasl_username = mystrdup(sasl_username);
printable(state->sasl_username, '?');
According to my tests the username is logged when the authentication is
failed and username is available.
Best regards,
Jozsef
-
E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
