SASL LOGIN authentication failed: UGFzc3dvcmQ6 - Find the username

Solution 1:

We were able to trace the username by using Dovecot itself.

In the /etc/dovecot/conf.d/10-logging.conf config we enabled verbose auth logging using

auth_verbose = yes

This put the information in

/etc/dovecot/info.log

Solution 2:

I was able to prevent this by setting up SSL and requiring auth attempts over SSL only with

smtpd_tls_auth_only = yes

This doesn't present the AUTH option to the remote client after EHLO and so the spammers/hackers give up because establishing a SSL connection is too much time. They work a numbers game. Now instead it hangs up when they try AUTH and I get this in my logs:

Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: warning: 91.200.12.140: hostname vps863.hidehost.net verification failed: No address associated with hostname
Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: connect from unknown[91.200.12.140]
Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: lost connection after AUTH from unknown[91.200.12.140]
Jan  7 22:14:27 ip-99-99-99-99 postfix/smtpd[22274]: disconnect from unknown[91.200.12.140]

Solution 3:

If you have fail2ban installed you can enable sasl (or sometimes called postfix-sasl) in your jail.local (or jail.d) and that should make the annoyances go away.

## for me this is in /etc/fail2ban/jail.d/defaults-debian.conf
[postfix]
enabled = true

[postfix-sasl]
enabled = true