Postfix sasl log "SASL LOGIN authentication failed:"

Discussion in 'Installation/Configuration' started by Michaeltc, Jan 9, 2017.

  1. Michaeltc

    Michaeltc New Member

    Hi all :

    I find the maillog always show "SASL LOGIN authentication failed: UGFzc3dvcmQ6"
    How can I change conf file to show the failure user name

    Thanks
     
  2. alisik

    alisik Banned

    You should not change config file but log template.
     
  3. Michaeltc

    Michaeltc New Member

    If I don't change config, how can I know the user name of SASL login failed?

    Thanks
     
  4. Michaeltc

    Michaeltc New Member

    But the problem, when I go to see maillog, I don't know who is "UGFzc3dvcmQ6" this is encrypt
    So how can make maillog can show plain user name ?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to turn on verbose logging to see the details. The exact settings depend on the setup that you use. Which setup do you use on this server?
     
  6. Michaeltc

    Michaeltc New Member

    I
    Hi all :

    I'm follow the below link to setup
    https://www.howtoforge.com/tutorial...l-php-pureftpd-postfix-dovecot-and-ispconfig/

    I think the maillog come from postfix+Dovecot, if the spammer try to hack the account, the maillog will show
    postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    My question is, how to show the user name for this SASL LOGIN authentication failed: UGFzc3dvcmQ6
    E.g. how to show
    postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed for user name : [email protected]
    but not UGFzc3dvcmQ6

    Thanks all support
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi Michael,

    please edit the dovecot.conf file (should be /etc/dovecot/dovecot.conf) and add these two lines to enable verbose logging:

    auth_verbose = yes
    mail_debug = yes

    then restart dovecot. If you get too much verbose output, then just try auth_verbose only.
     
  8. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    SASL LOGIN authentication failed != hacked
     
  9. Michaeltc

    Michaeltc New Member

    Hi all :

    Thanks for you help, I will try to modify dovecot, it is useful to show user name. As we can know which email account are in high risk and let me to do more step to prevent hacker try to hack password

    Thanks
     
  10. Michaeltc

    Michaeltc New Member

    SASL LOGIN authentication failed != hacked
    but it indicate some guest try to connect our smtp server to send spam email, but the password is wrong will cause
    postfix/smtpd[6942]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     
    alisik likes this.
  11. David Bucknell

    David Bucknell New Member

    I'm getting this message in the log now. You say it means "hacked!" Below, someone says, it indicates a failed attempt to send spam (wrong password).
    Question: What is the recommended action?
     
  12. tfboy

    tfboy Member

    David, != is technical language for "does not equal", so in this case, the SASL LOGIN authentication failed message doesn't mean the account has been hacked. It simply means a wrong username / password has been used. It could be a brute-force hack attempt, but it's not getting through.
     

Share This Page