[pfx] Re: SASL username logging for failed authentications

Fri, 06 Oct 2023 13:24:37 -0700 

On Fri, 6 Oct 2023, Jozsef Kadlecsik via Postfix-users wrote:

> However it's a debug mode, cannot be used in production. It is clear that 
> SASL protocol is not implemented and thus the messages have no meaning, 
> just reported. However, it seems the data is there and available.
> 
> Would you consider applying a patch something like this:

Or better in order to escape strange characters:

diff --git a/src/smtpd/smtpd_sasl_glue.c b/src/smtpd/smtpd_sasl_glue.c
index 020c830..f58fb92 100644
--- a/src/smtpd/smtpd_sasl_glue.c
+++ b/src/smtpd/smtpd_sasl_glue.c
@@ -320,10 +320,20 @@ int     smtpd_sasl_authenticate(SMTPD_STATE *state,
            return (-1);
        }
     }
+    sasl_username = xsasl_server_get_username(state->sasl_server);
+    if (sasl_username != 0) {
+       state->sasl_username = mystrdup(sasl_username);
+       printable(state->sasl_username, '?');
+    }          
     if (status != XSASL_AUTH_DONE) {
-       msg_warn("%s: SASL %s authentication failed: %s",
-                state->namaddr, sasl_method,
-                STR(state->sasl_reply));
+       if (sasl_username == 0)
+           msg_warn("%s: SASL %s authentication failed: %s",
+                    state->namaddr, sasl_method,
+                    STR(state->sasl_reply));
+       else
+           msg_warn("%s: SASL %s authentication failed: %s, sasl_username=%s",
+                    state->namaddr, sasl_method,
+                    STR(state->sasl_reply), state->sasl_username);
        /* RFC 4954 Section 6. */
        if (status == XSASL_AUTH_TEMP)
            smtpd_chat_reply(state, "454 4.7.0 Temporary authentication 
failure: %s",
@@ -335,10 +345,8 @@ int     smtpd_sasl_authenticate(SMTPD_STATE *state,
     }
     /* RFC 4954 Section 6. */
     smtpd_chat_reply(state, "235 2.7.0 Authentication successful");
-    if ((sasl_username = xsasl_server_get_username(state->sasl_server)) == 0)
+    if (sasl_username == 0)
        msg_panic("cannot look up the authenticated SASL username");
-    state->sasl_username = mystrdup(sasl_username);
-    printable(state->sasl_username, '?');
     state->sasl_method = mystrdup(sasl_method);
     printable(state->sasl_method, '?');

Best regards,
Jozsef 
-
E-mail  : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to