cosmetics: authentication success not logged
Hello, we implemented a submission server with SASL authentication. nothing special... also we use to grep for "sasl_username=$customer_with_trouble". today I noticed, the successful authentication was not logged because a sender address was rejected. Looks like sasl_username logging happen only with a valid QueueID which is not available in some cases. I only assume the authentication was successful by the final log entry mention "auth=1" postfix/submission/smtpd[31338]: connect from foo.example.org[192.0.2.25] postfix/submission/smtpd[31338]: Anonymous TLS connection established from foo.example.org[192.0.2.25]: TLSv1 with cipher $not_important_here postfix/submission/smtpd[31338]: NOQUEUE: reject: RCPT from foo.example.org[192.0.2.25]: 550 5.1.0 : Sender address rejected: User unknown; ... postfix/submission/smtpd[31338]: disconnect from foo.example.org[192.0.2.25] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7 would it make sense / be possible to log successful authentication always? Andreas
Re: cosmetics: authentication success not logged
A. Schulze: > > Hello, > > we implemented a submission server with SASL authentication. nothing > special... > also we use to grep for "sasl_username=$customer_with_trouble". > > today I noticed, the successful authentication was not logged > because a sender address was rejected. Looks like sasl_username > logging happen only with a valid QueueID which is not available > in some cases. I only assume the authentication was successful > by the final log entry mention "auth=1" > > postfix/submission/smtpd[31338]: connect from foo.example.org[192.0.2.25] > postfix/submission/smtpd[31338]: Anonymous TLS connection established from > foo.example.org[192.0.2.25]: TLSv1 with cipher $not_important_here > postfix/submission/smtpd[31338]: NOQUEUE: reject: RCPT from > foo.example.org[192.0.2.25]: 550 5.1.0 : Sender > address rejected: User unknown; ... > postfix/submission/smtpd[31338]: disconnect from foo.example.org[192.0.2.25] > ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7 > > > would it make sense / be possible to log successful authentication always? No, that would log it too often in normal sessions. Instead it can be logged for rejected commands. reject: from host[addr] ...; from=, to=, proto=SMTP, helo=, sasl_username= Wietse
Re: cosmetics: authentication success not logged
Wietse Venema: > No, that would log it too often in normal sessions. Instead it can > be logged for rejected commands. > > reject: from host[addr] ...; from=, to=, proto=SMTP, > helo=, sasl_username= As in the patch below. Wietse diff -u /var/tmp/postfix-3.2-20160917/src/smtpd/smtpd.c src/smtpd/smtpd.c --- /var/tmp/postfix-3.2-20160917/src/smtpd/smtpd.c 2016-09-17 10:49:09.0 -0400 +++ src/smtpd/smtpd.c 2016-09-18 08:36:17.0 -0400 @@ -1531,6 +1531,11 @@ vstring_sprintf_append(buf, " proto=%s", state->protocol); if (state->helo_name) vstring_sprintf_append(buf, " helo=<%s>", state->helo_name); +#ifdef USE_SASL_AUTH +if (state->sasl_username) + vstring_sprintf_append(buf, " sasl_username=<%s>", + state->sasl_username); +#endif return (STR(buf)); }
Re: cosmetics: authentication success not logged
Am 18.09.2016 um 14:31 schrieb Wietse Venema: No, that would log it too often in normal sessions. Instead it can be logged for rejected commands. reject: from host[addr] ...; from=, to=, proto=SMTP, helo=, sasl_username= Hello Wietse, that would be OK, too. It requires a code change, right? Andreas
Re: cosmetics: authentication success not logged
Am 18.09.2016 um 14:39 schrieb Wietse Venema: As in the patch below. ups, you'r so fast... thanks! I'll try and report. Andreas
Re: mysql lookup table and utf8
On 09/15/2016 05:35 PM, Phil Stracchino wrote: > On 09/15/16 06:49, Wietse Venema wrote: >> Phil Stracchino: >>> Well, it's supposed to Just Work if they're using libmysqlclient. I'm >>> not sure where to get the information of NOT using libmysqlclient, other >>> than just searching likely locations. >> FYI, Postfix uses libmysqlclient. So what's up with not reading >> the default config file? > In that case, I have no idea why it's not picking up the default config. > To the best of my understanding, it should. But having never worked > with libmysqlclient directly myself, my understanding may very well be > incomplete or wrong, and it's likely there are details I don't know. > > In order to get libmysqlclient to read the standard options file you have to specifically define the group name to read from that file for example "your_prog_name". mysql_options(&mysql,MYSQL_READ_DEFAULT_GROUP,"your_prog_name"); This must be called prior to mysql_real_connect. When you specify this option, then the [client] section and the [your_prog_name] section of the default my.cnf file are read. John
Re: mysql lookup table and utf8
> On Sep 18, 2016, at 6:03 PM, John Fawcett wrote: > > In order to get libmysqlclient to read the standard options file > you have to specifically define the group name to read from that file > for example "your_prog_name". > > mysql_options(&mysql,MYSQL_READ_DEFAULT_GROUP,"your_prog_name"); > > This must be called prior to mysql_real_connect. > > When you specify this option, then the [client] section > and the [your_prog_name] section of the default my.cnf file > are read. Care to post a patch for src/global/dict_mysql.c? Do you think that the "prog_name" should be configurable? Perhaps allowing different Postfix instances to run with different settings? Or would a fixed name like "postfix" be better? -- Viktor.
Re: mysql lookup table and utf8
On 09/19/2016 12:13 AM, Viktor Dukhovni wrote: >> On Sep 18, 2016, at 6:03 PM, John Fawcett wrote: >> >> In order to get libmysqlclient to read the standard options file >> you have to specifically define the group name to read from that file >> for example "your_prog_name". >> >> mysql_options(&mysql,MYSQL_READ_DEFAULT_GROUP,"your_prog_name"); >> >> This must be called prior to mysql_real_connect. >> >> When you specify this option, then the [client] section >> and the [your_prog_name] section of the default my.cnf file >> are read. > Care to post a patch for src/global/dict_mysql.c? Do you > think that the "prog_name" should be configurable? Perhaps > allowing different Postfix instances to run with different > settings? Or would a fixed name like "postfix" be better? > ok I can do that. I would go for a fixed name. It seems to be the standard in my.cnf and it simplifies things. If needed there is always the possibility to specify a different group or a different file in the postfix mysql config file as supported by the current dict_mysql.c: /* .IP option_file /*Read options from the given file instead of the default my.cnf /*location. /* .IP option_group /*Read options from the given group John
Re: mysql lookup table and utf8
John Fawcett: > > Care to post a patch for src/global/dict_mysql.c? Do you > > think that the "prog_name" should be configurable? Perhaps > > allowing different Postfix instances to run with different > > settings? Or would a fixed name like "postfix" be better? > > > ok I can do that. I would go for a fixed name. It seems to Please also update proto/mysql_table? I apologize for still having to adopt in your patch for stored procedures. It will happen. Wietse
