AUTH failure and username in log

Sergey

unread,

Nov 30, 2017, 7:52:25 AM11/30/17

to

Hello.

Can Sendmail add username to log message with relay string
AUTH failure (PLAIN): authentication failure (-13) SASL(-13): authentication failure: Password verification failed, relay=...
?

It would be usable for detecting password's brute force.
Now for this we need to increase the logging level and
to select string with "<-- AUTH" by queue id. It is not
very convenient.

--
Regards, Sergey

Claus Aßmann

unread,

Nov 30, 2017, 9:01:10 AM11/30/17

to

Sergey wrote:

> Can Sendmail add username to log message with relay string

[[AUTH failures]]

sendmail simply uses the SASL library, it doesn't even "know" which
account is used for AUTH -- until AUTH succeeded and it can query
the library for that information. To get the username for a failed
attempt means to hack the code (which wouldn't be too hard for some
simple AUTH methods like LOGIN or PLAIN).

There might be patches which do that...

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Niels Baggesen

unread,

Nov 30, 2017, 9:30:05 AM11/30/17

to

Claus Aßmann <ca+sendmail(-no-copies-please)@mine.informatik.uni-kiel.de> wrote:
> Sergey wrote:

> > Can Sendmail add username to log message with relay string
> [[AUTH failures]]

> sendmail simply uses the SASL library, it doesn't even "know" which
> account is used for AUTH -- until AUTH succeeded and it can query
> the library for that information.

There is a good chance that your SASL library has logged that
information to /var/log/secure - or can be made to do that.

/Niels

--
Niels Baggesen -- @home -- Århus -- Denmark -- ni...@baggesen.net
The purpose of computing is insight, not numbers -- R W Hamming

Sergey

unread,

Dec 1, 2017, 6:33:09 AM12/1/17

to

Claus Aßmann wrote:

>> Can Sendmail add username to log message with relay string
> [[AUTH failures]]
>
> sendmail simply uses the SASL library, it doesn't even "know"
> which account is used for AUTH

But Sendmail receives it from client and sends it to SASL.
For examples:

AUTH PLAIN VXNlcgBQYXNzd29yZA==

or

AUTH LOGIN
334 VXNlcm5hbWU6
VXNlcg==
334 UGFzc3dvcmQ6
UGFzc3dvcmQ=

In this examples the word "User" can be logged with "AUTH failures".

--
Regards, Sergey

Sergey

unread,

Dec 1, 2017, 6:37:27 AM12/1/17

to

Niels Baggesen wrote:

> There is a good chance that your SASL library has logged that
> information to /var/log/secure - or can be made to do that.

Of course, but this log isn't contains client's IP. This is
complicate the search for compliance.

--
Regards, Sergey

Claus Aßmann

unread,

Dec 1, 2017, 9:25:01 AM12/1/17

to

Sergey wrote:

> Claus Aßmann wrote:

> > sendmail simply uses the SASL library, it doesn't even "know"
> > which account is used for AUTH

> But Sendmail receives it from client and sends it to SASL.

> AUTH PLAIN VXNlcgBQYXNzd29yZA==

> AUTH LOGIN
> 334 VXNlcm5hbWU6

> In this examples the word "User" can be logged with "AUTH failures".

You removed the part of my posting which states exactly that:

! To get the username for a failed attempt means to hack the code
! (which wouldn't be too hard for some simple AUTH methods like LOGIN
! or PLAIN).

and:
! There might be patches which do that...

Did you try a search?