From 6f5b7bacd84b0c78a7df62375fb5db091270a0a4 Mon Sep 17 00:00:00 2001
From: aoh <aoh@lysator.liu.se>
Date: Mon, 18 Nov 2024 20:07:22 +0100
Subject: [PATCH] warn-too-many-smtp-login-hosts: Only add extracted username

Currently, the script reports the following false positive.

> /etc/cron.hourly/warn-too-many-smtp-login-hosts:
> The following users have smtp logins from more than 20 different hosts.
> Please verify that these mail accounts haven't been compromised.
>
> USER                 #UNIQUE HOSTS
> -----------------------------------------
>                      2513

This commit tries to adress this issue by checking if the extracted
username is an empty string.

The problem was that the script was matching lines similar to this,
which ends with sasl_username=<name>

Nov 17 00:01:51 hermod postfix/smtpd[556252]: warning: lneuilly-657-1-113-189.w82-127.abo.wanadoo.fr[82.127.41.189]: SASL PLAIN authentication failed: (reason unavailable), sasl_username=contact

Hence I've also added the extra check as well

!/authentication failed/

which ignores all the lines with the text "authentication failed",
becase we're not interested in those.
---
 Files/mailserver/cron/warn-too-many-smtp-login-hosts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/Files/mailserver/cron/warn-too-many-smtp-login-hosts b/Files/mailserver/cron/warn-too-many-smtp-login-hosts
index ae22ca57..048f96ea 100755
--- a/Files/mailserver/cron/warn-too-many-smtp-login-hosts
+++ b/Files/mailserver/cron/warn-too-many-smtp-login-hosts
@@ -6,8 +6,13 @@ BEGIN {
 		skip[line] = 1
 }
 
-/sasl_username/ {
-	addresses[substr($9, 15)][$7] += 1
+!/authentication failed/ && /sasl_username/ {
+	if (NF >= 9) {
+		extracted_user = substr($9, 15)
+		if (extracted_user != "") {
+			addresses[extracted_user][$7] += 1
+		}
+	}
 }
 
 END {
-- 
GitLab