Ricardo Signes:
> a. one IP, the same username, many different passwords
> d. one IP, the same username, the same (wrong) password repeatedly
I suppose that one would log a password hhas, just to be sure.
> I definitely understand the point about not wanting to deal with the SASL
> internals.
It is not practical to implement every SASL protocol in Postfix.
Also, the more secure SASL protocols don't send a fixed password,
instead they use challenge-response. In that case there is no way
to find out whether you are looking at (a.) or (d.).
Postfix could log the base64 blobs that the client sends. Even
without decoding base64, this may be sufficient to see that someone
is using the same username and password repeatedly with AUTH PLAIN
or AUTH LOGIN, and you can base64 decode the blob to find out what
username may be involved. But this effectively logs many plaintext
passwords to file.
> Putting aside that question, do you have any suggestions or thoughts
> about improving the way in which potential attacks could be
> classified with currently available data?
The general solution requires support in the authentication back-end,
be it Dovecot or the SASL library.
Wietse
