On 2/24/2017 5:55 PM, James wrote: >> Current versions of postfix will log that AUTH was attempted, but do >> not log what the client sends. You can grep the logs for 'auth=0' >> to see unsuccessful auth attempts. >> >> postfix/smtpd[58629]: disconnect from unknown[192.168.0.33] ehlo=1 >> auth=0/1 commands=1/2 >> >> -- Noel Jones > > Yes, that's exactly what I have, hence my comments about seeing it > happening. > > I have a few entries in my bash history that I call up a few times a > day to pull "interesting" lines from several logs. > > I was hoping there might be some setting that would cause log > entries like: > > postfix/smtpd[12345]: NOQUEUE: AUTH rejected from > client.example.com[0.1.2.3], sasl_method=PLAIN, sasl_username=spam_r_us > > As long as the sasl_username was obviously hopeless then I wouldn't > worry... but if they started using something that I thought they > shouldn't know about then I'd start getting worried. > > If no such setting exists then how many folks would consider it to > be a reasonable feature request? > > - James >
I'm pretty sure the sasl_username part of the log (and probably the method too) is supplied by the sasl library, which is never called when sasl isn't offered. When sasl isn't offered but the client sends AUTH anyway, it should be possible for postfix to log the (sanitized) AUTH command the client sends, but it will be encoded. The encoding as recorded in the log may be (I think likely) broken by the log sanitizer. My impression is this won't be as useful as you hope. Or my analysis could be flawed. Maybe Wietse or others has something to add. -- Noel Jones
