Wietse Venema via Postfix-users:
> I think I can take it from here.
Wietse
20231006
Clenaup: attempt to log the SASL username after authentication
failure. This appends ", sasl_username=xxx" to SASL authentication
failure logging. Based on code by Jozsef Kadlecsik. Files:
xsasl/sxasl_server.c, xsasl/xsasl_cyrus_server.c,
smtpd/smtpd_sasl_glue.c.
diff '--exclude=man' '--exclude=html' '--exclude=README_FILES'
'--exclude=INSTALL' '--exclude=.indent.pro' -r -ur
/var/tmp/postfix-3.9-20230924/src/smtpd/smtpd_sasl_glue.c
./src/smtpd/smtpd_sasl_glue.c
--- /var/tmp/postfix-3.9-20230924/src/smtpd/smtpd_sasl_glue.c 2020-08-30
17:03:46.000000000 -0400
+++ ./src/smtpd/smtpd_sasl_glue.c 2023-10-06 18:03:28.340781626 -0400
@@ -339,10 +339,12 @@
return (-1);
}
}
+ sasl_username = xsasl_server_get_username(state->sasl_server);
if (status != XSASL_AUTH_DONE) {
- msg_warn("%s: SASL %s authentication failed: %s",
+ msg_warn("%s: SASL %s authentication failed: %s, sasl_username=%s",
state->namaddr, sasl_method,
- STR(state->sasl_reply));
+ STR(state->sasl_reply),
+ sasl_username ? sasl_username : "(unavailable)");
/* RFC 4954 Section 6. */
if (status == XSASL_AUTH_TEMP)
smtpd_chat_reply(state, "454 4.7.0 Temporary authentication
failure: %s",
@@ -354,7 +356,7 @@
}
/* RFC 4954 Section 6. */
smtpd_chat_reply(state, "235 2.7.0 Authentication successful");
- if ((sasl_username = xsasl_server_get_username(state->sasl_server)) == 0)
+ if (sasl_username == 0)
msg_panic("cannot look up the authenticated SASL username");
state->sasl_username = mystrdup(sasl_username);
printable(state->sasl_username, '?');
diff '--exclude=man' '--exclude=html' '--exclude=README_FILES'
'--exclude=INSTALL' '--exclude=.indent.pro' -r -ur
/var/tmp/postfix-3.9-20230924/src/xsasl/xsasl_cyrus_server.c
./src/xsasl/xsasl_cyrus_server.c
--- /var/tmp/postfix-3.9-20230924/src/xsasl/xsasl_cyrus_server.c
2016-06-25 20:45:17.000000000 -0400
+++ ./src/xsasl/xsasl_cyrus_server.c 2023-10-06 18:11:03.562043499 -0400
@@ -625,16 +625,15 @@
/*
* XXX Do not free(serverout).
*/
+ if (server->username)
+ myfree(server->username);
sasl_status = sasl_getprop(server->sasl_conn, SASL_USERNAME, &serverout);
if (sasl_status != SASL_OK || serverout == 0) {
- msg_warn("%s: sasl_getprop SASL_USERNAME botch: %s",
- myname, xsasl_cyrus_strerror(sasl_status));
- return (0);
+ server->username = 0;
+ } else {
+ server->username = mystrdup(serverout);
+ printable(server->username, '?');
}
- if (server->username)
- myfree(server->username);
- server->username = mystrdup(serverout);
- printable(server->username, '?');
return (server->username);
}
diff '--exclude=man' '--exclude=html' '--exclude=README_FILES'
'--exclude=INSTALL' '--exclude=.indent.pro' -r -ur
/var/tmp/postfix-3.9-20230924/src/xsasl/xsasl_server.c
./src/xsasl/xsasl_server.c
--- /var/tmp/postfix-3.9-20230924/src/xsasl/xsasl_server.c 2017-12-27
17:29:45.000000000 -0500
+++ ./src/xsasl/xsasl_server.c 2023-10-06 18:34:31.938775697 -0400
@@ -123,7 +123,10 @@
/* reply.
/*
/* xsasl_server_get_username() returns the stored username
-/* after successful authentication.
+/* after successful authentication. The username may be null
+/* after authentication failure, depending on the kind of
+/* failure and on authentication backend inmplementation
+/* details. A non-null result is converted to printable text.
/*
/* Arguments:
/* .IP addr_family
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
