Wondering about UGFzc3dvcmQ6

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Wondering about UGFzc3dvcmQ6

Gary Smithe
Hi everyone, I tried checking the archives so I apologize if I overlooked the answer.  I have 2 questions, based on the log snippet below.
Note that I modified my master.cf to show the port number instead of the word "submission" as it makes it easier for me to visualize the flow of email.

It's obvious the user is failing authentication, and from what I've read the word: UGFzc3dvcmQ6 is literally "Password:"  My question is, does that mean postfix is literally receiving that word, or is it obfuscating the real password that was attempted?

Anything else for tips or advice is also appreciated.

Apr 19 11:22:51 mail postfix/587/smtpd[12552]: connect from unknown[161.47.83.204]
Apr 19 11:22:51 mail postfix/587/smtpd[12552]: Anonymous TLS connection established from unknown[161.47.83.204]: TLSv1.2 with cipher AES128-SHA (128/128 bits)
Apr 19 11:22:55 mail postfix/587/smtpd[12552]: warning: unknown[161.47.83.204]: SASL login authentication failed: UGFzc3dvcmQ6
Apr 19 11:22:55 mail postfix/587/smtpd[12552]: NOQUEUE: reject: RCPT from unknown[161.47.83.204]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<RDPVM18>
Apr 19 11:22:55 mail postfix/587/smtpd[12552]: lost connection after RCPT from unknown[161.47.83.204]
Apr 19 11:22:55 mail postfix/587/smtpd[12552]: disconnect from unknown[161.47.83.204] ehlo=2 starttls=1 auth=0/1 mail=1 rcpt=0/1 commands=4/6



Thanks,
Gary
Reply | Threaded
Open this post in threaded view
|

Re: Wondering about UGFzc3dvcmQ6

Wietse Venema
Gary Smithe:

> Hi everyone, I tried checking the archives so I apologize if I
> overlooked the answer.
> I have 2 questions, based on the log snippet below.Note that I
> modified my master.cf to show the port number instead of the word
> "submission" as it makes it easier for me to visualize the flow
> of email.  It's obvious the user is failing authentication, and
> from what I've read the word: UGFzc3dvcmQ6 is literally "Password:"
> My question is, does that mean postfix is literally receiving that
> word, or is it obfuscating the real password that was attempted?
> Anything else for tips or advice is also appreciated.

SASL requests and responses are encoded in Base 64. In this case,
Postfix reports an error message from the Cyrus SASL library or
Dovecot authentication server. A search engine will find many posts
that discuss this specific error message.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Wondering about UGFzc3dvcmQ6

Bill Cole-3
In reply to this post by Gary Smithe
On 22 Apr 2019, at 10:21, Gary Smithe wrote:

> It's obvious the user is failing authentication, and from what I've
> read the word: UGFzc3dvcmQ6 is literally "Password:"  My question
> is, does that mean postfix is literally receiving that word, or is it
> obfuscating the real password that was attempted?

As Wietse says, Postfix is just passing back the error message from the
SASL library.

As a direct answer: testing indicates that this what Postfix reports
when using the Dovecot SASL library and any bad username and password
combination is used. For example, the test below uses a non-existent
user, yet the response is with the encoded "Password" string that is
used as a prompt in the "login" SASL mechanism:

# openssl s_client -connect localhost:465
[...]
220 toaster.scconsult.com ESMTP Postfix
ehlo localhost.localdomain
250-toaster.scconsult.com
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR
DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
auth login
334 VXNlcm5hbWU6
YmlsbEBzY2NvbnN1bHQuY29t
334 UGFzc3dvcmQ6
cmVhbGx5YmFkcGFzc3dvcmQ=
535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
quit
221 2.0.0 Bye

# grep '^Apr 22 11:10.*authentication failed' mail.log
Apr 22 11:10:12 bigsky postfix/smtps/smtpd[95883]: warning:
localhost[127.0.0.1]: SASL login authentication failed: UGFzc3dvcmQ6


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Wondering about UGFzc3dvcmQ6

Dominic Raferd


On Mon, 22 Apr 2019 at 16:30, Bill Cole <[hidden email]> wrote:
On 22 Apr 2019, at 10:21, Gary Smithe wrote:

> It's obvious the user is failing authentication, and from what I've
> read the word: UGFzc3dvcmQ6 is literally "Password:"  My question
> is, does that mean postfix is literally receiving that word, or is it
> obfuscating the real password that was attempted?

As Wietse says, Postfix is just passing back the error message from the
SASL library.

As a direct answer: testing indicates that this what Postfix reports
when using the Dovecot SASL library and any bad username and password
combination is used. For example, the test below uses a non-existent
user, yet the response is with the encoded "Password" string that is
used as a prompt in the "login" SASL mechanism:

# openssl s_client -connect localhost:465
[...]
220 toaster.scconsult.com ESMTP Postfix
ehlo localhost.localdomain
250-toaster.scconsult.com
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR
DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
auth login
334 VXNlcm5hbWU6
YmlsbEBzY2NvbnN1bHQuY29t
334 UGFzc3dvcmQ6
cmVhbGx5YmFkcGFzc3dvcmQ=
535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
quit
221 2.0.0 Bye

# grep '^Apr 22 11:10.*authentication failed' mail.log
Apr 22 11:10:12 bigsky postfix/smtps/smtpd[95883]: warning:
localhost[127.0.0.1]: SASL login authentication failed: UGFzc3dvcmQ6

With dovecot, adding these lines to configuration should enable logging in the clear of failed passwords:
auth_verbose = yes
auth_verbose_passwords = plain