On Mon, Oct 24, 2022 at 08:23:46AM -0400, Paul Kudla wrote:
> ok i had similiar issues and ended up patching the sasl auth system
> inside postfix to include login username & IP ADDRESS
>
> this gave a single log file entry (syslog, file whatever postfix was
> configured to do) showing that the account had been accessed for sending
> an email
There's no need for this. Both are already logged together.
https://github.com/vdukhovni/postfix/blob/master/postfix/src/smtpd/smtpd.c#L2288-L2305
Posting the entire source file, rather than a patch is not terribly
useful.
> also it tracks bad login's
>
> example :
>
> www-1 10-24 08:13:29 {postfix.in/smtpd[53113] (1222051970)
> xsasl_cyrus_server_first: sasl_method LOGIN
> www-1 10-24 08:13:29 {postfix.in/smtpd[53113] (1222051971)
> xsasl_cyrus_server_auth_response: uncoded server challenge: Username:
> www-1 10-24 08:13:30 {postfix.in/smtpd[53113] (1222052015)
> xsasl_cyrus_server_next: decoded response: israelk5k...@clancyca.com
> www-1 10-24 08:13:30 {postfix.in/smtpd[53113] (1222052016)
> xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
> www-1 10-24 08:13:32 {postfix.in/smtpd[53113] (1222052035)
> xsasl_cyrus_server_next: decoded response: c@15
> www-1 10-24 08:13:32 {postfix.in/smtpd[53113] (1222052036) SASL
> authentication info: sql plugin: no result found
> www-1 10-24 08:13:32 {postfix.in/smtpd[53113] (1222052037)
> warning: unknown[183.182.107.110]: SASL LOGIN authentication failed:
> authentication failure
I would be generally reluctant to log username/password for bad logins,
these can leak cases where a password is accidentally pasted into a
username field, or there's a minor typo, and so can compromise cleartext
passwords.
--
Viktor.
