warn-too-many-smtp-login-hosts: Only add extracted username

Currently, the script reports the following false positive. > /etc/cron.hourly/warn-too-many-smtp-login-hosts: > The following users have smtp logins from more than 20 different hosts. > Please verify that these mail accounts haven't been compromised. > > USER #UNIQUE HOSTS > ----------------------------------------- > 2513 This commit tries to adress this issue by checking if the extracted username is an empty string. The problem was that the script was matching lines similar to this, which ends with sasl_username=<name> Nov 17 00:01:51 hermod postfix/smtpd[556252]: warning: lneuilly-657-1-113-189.w82-127.abo.wanadoo.fr[82.127.41.189]: SASL PLAIN authentication failed: (reason unavailable), sasl_username=contact Hence I've also added the extra check as well !/authentication failed/ which ignores all the lines with the text "authentication failed", becase we're not interested in those.

warn-too-many-smtp-login-hosts: Only add extracted username
6f5b7bac · aoh · 76ff05c1 · 6f5b7bac
Verified Commit 6f5b7bac authored 6 months ago by aoh
--- a/Files/mailserver/cron/warn-too-many-smtp-login-hosts
+++ b/Files/mailserver/cron/warn-too-many-smtp-login-hosts
@@ -6,8 +6,13 @@ BEGIN {
 		skip[line] = 1
 }
-/sasl_username/ {
+!/authentication failed/ && /sasl_username/ {
-	addresses[substr($9, 15)][$7] += 1
+	if (NF >= 9) {
+		extracted_user = substr($9, 15)
+		if (extracted_user != "") {
+			addresses[extracted_user][$7] += 1
+		}
+	}
 }
 END {