Am 27.05.2014 22:45, schrieb Ricardo Signes: > I'm looking for a way to detect and distinguish different kinds of auth > failures. Right now, I'm feeling a bit stuck by my inability to get all the > data I'd like in one place at the same time. > > Right now, we're using SASL authentication with pwcheck. pwcheck, of course, > only gets two data: username and password. It can't take any action based on > the IP address of the remote. > > Meanwhile, postfix's logs on failure don't appear to show me the username on > failed AUTH attempts. > > I'd like to be able to distinguish the cases resulting from the intersections > of (one password over and over / many different passwords), (one username / > many usernames), (one IP address, many IP addresses). With these data, I can > take better action to detect, classify, and react to bad actors. > > I'm happy (I guess) to end up having to write code to make this happen, but > I'm > not sure where I could do it
the problem ist that postfix has no idea of the SASL internals and should not need to - in case of dovecot i asked a few days ago to log the username because in case of using dovecot as SASL provider that's the only instance which decodes the input and verify it against the user-db sadly until now nobody cares except hints "turn debug on" which is no solution in production to help users in case of password changesn and forgot 2 out of 6 clients, especially for Apple users since that crap needs to seperatly change the password for the outgoing server while even MS Outlook 10 years ago offered a checkbox at setup "use the same credentials as for POP3/IMAP"
