SASL LOGIN authentication failed: UGFzc3dvcmQ6 - Find the username

We were able to trace the username by using Dovecot itself.

In the /etc/dovecot/conf.d/10-logging.conf config we enabled verbose auth logging using

auth_verbose = yes

This put the information in

/etc/dovecot/info.log

I was able to prevent this by setting up SSL and requiring auth attempts over SSL only with

smtpd_tls_auth_only = yes

This doesn't present the AUTH option to the remote client after EHLO and so the spammers/hackers give up because establishing a SSL connection is too much time. They work a numbers game. Now instead it hangs up when they try AUTH and I get this in my logs:

Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: warning: 91.200.12.140: hostname vps863.hidehost.net verification failed: No address associated with hostname
Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: connect from unknown[91.200.12.140]
Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: lost connection after AUTH from unknown[91.200.12.140]
Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: disconnect from unknown[91.200.12.140]

If you have fail2ban installed you can enable sasl (or sometimes called postfix-sasl) in your jail.local (or jail.d) and that should make the annoyances go away.

## for me this is in /etc/fail2ban/jail.d/defaults-debian.conf
[postfix]
enabled = true

[postfix-sasl]
enabled = true

There are at least two ways of finding the user name(s) being tried.

Logging SMTP transactions with Postfix

If you know which host(s) your strange connections are coming from, you can enable verbose debugging for them by specifying a debug_peer_list in /etc/postfix/main.cf:

debug_peer_list = 192.0.2.1

This will yield, among other things, a message like this in syslog:

postfix/smtpd[123]: xsasl_dovecot_handle_reply: auth reply: FAIL?5?user=info

You will want to use this setting for very specific debugging only, since the full SMTP session is logged, including the password.

postfix/smtpd[123]: < unknown[192.0.2.1]: AUTH LOGIN
postfix/smtpd[123]: xsasl_dovecot_server_first: sasl_method LOGIN
postfix/smtpd[123]: xsasl_dovecot_handle_reply: auth reply: CONT?5?VXNlcm5hbWU6
postfix/smtpd[123]: > unknown[192.0.2.1]: 334 VXNlcm5hbWU6
postfix/smtpd[123]: < unknown[192.0.2.1]: aW5mbw==
postfix/smtpd[123]: xsasl_dovecot_handle_reply: auth reply: CONT?5?UGFzc3dvcmQ6
postfix/smtpd[123]: > unknown[192.0.2.1: 334 UGFzc3dvcmQ6
postfix/smtpd[123]: < unknown[192.0.2.1]: Zm9vYmFy
postfix/smtpd[123]: xsasl_dovecot_handle_reply: auth reply: FAIL?5?user=info
postfix/smtpd[123]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[123]: > unknown[192.0.2.1]: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6

In this example, a LOGIN attempt for user "info" has failed after the password "foobar" was presented. Like the challenges, you can decode the replies as base64:

$ echo aW5mbw== | echo $(base64 -d)
info
$ echo Zm9vYmFy | echo $(base64 -d)
foobar

Logging authentication with Dovecot

Postfix itself does not include a SASL implementation. Traditionally, it was hooked up to Cyrus SASL, but if you are using the Dovecot POP/IMAP server, Postfix can reuse its SASL module.

As you have found out, Dovecot has its own debugging facility, enabled with

auth_verbose = yes

in its config file, often /etc/dovecot/conf.d/10-logging.conf. The output in /var/log/dovecot-info.log will look something like this:

Jun 10 13:16:40 auth-worker(14936): Info: pam([email protected],192.0.2.1): pam_authenticate() failed: Authentication failure (password mismatch?)

While there is no host-based control here, there are a number of related options to control what gets logged, specifically whether or not to include the attempted passwords. From the example config:

# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = no

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
auth_debug = no

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = no

See also the Dovecot documentation for details.

About SMTP authentication

As you note, the string UGFzc3dvcmQ6 in the log message is the base64-encoding of "Password:". What Postfix is logging here is the particular authentication "challenge" that it has sent and received an erroneous reply for. There is also a preceding challenge for "Username:" (VXNlcm5hbWU6). However, even for nonexistent users, the failure will only be reported after the password.

The values of the challenge strings are actually unimportant and should be ignored. The first challenge is always for the user name, and the second is for the password. The details about this can be found in the specification for the LOGIN method.

NB: Since this is all a bit noodly for just transfering and checking the username-password pair, LOGIN is long obsoleted. The PLAIN method works essentially the same but packs both pieces of information into the same base64 string.

Finally, the fact that parts of this conversation are base64-encoded is actually a feature of SMTP Authentication in general. The idea is to easily allow arbitrary (possibly binary) data to be exchanged between the SASL modules of client and server, without those SASL modules needing to know or care about SMTP itself. You can get an idea of how SASL operates from the Cyrus SASL documentation.