Postfix sasl log "SASL LOGIN authentication failed:"

I know this is old, but no one ever actually answered the OPs original question, but offered blocking suggestions instead. I have the same question, and I'd like to clarify why a bit as well.
The original OP was looking for the username that was being used by the logins that were failing - specifically SMTP requests because they mentioned postfix . Till offered the closest configuration information,but that was IMAP and POP3 related, not SMTP.
I need the same information as the OP.
I specifically scour the log files looking for errors that include "authentication failed" and "SASL" together. I pull those IP addresses and compare them to known "good" addresses, and if I find them, I ignore them when doing my blocking. As my users are all local, I then compare the IP address to a geolocation lookup, and if they come from out-of-state or out-of-country, then I block them if they try often enough.
My, and probably the OP's, issue is that for legitimate users that set up a device incorrectly, and leave it set wrong, it's annoying and throws flags, and could get them blocked, especially if fail2ban is used, and it would be nice to fix the source of the errors. It could be that someone's cell phone was set up correctly and they're just ignoring the error messages. I could be that a dedicated machine that's SUPPOSED to be sending out error messages or log files or informational emails got configured wrong, and it's not notifying someone when it should be. It could be that a password was changed on the server, but not on a machine that was using that email address.
There are legitimate reasons for wanting this username information from postfix - I'm not arguing that the log files would be huge with verbose turned on (they get HUGE fast). I only plan on leaving the active long enough to get the data I need - but it would be nice to be able to get the information to solve a legitimate problem when there is one.
I've tried turning on verbose in postfix, but I still wasn't able to get the information I was looking for, so I clearly wasn't doing it correctly.
Thanks.

 

The original thread is 6 years old. I think you should just have created a new thread and refer to old in your post.

This depends on what original question is deemed to be. If it is

Then that was answered as "You have to turn on verbose logging to see the details. "
Are you saying this does not log the mailbox name?

 

Thanks for the response. Not agruing, but this was my experience with "use verbose".
I know that I turned on verbose logging in the postfix config, using information I found online at the time, and that I witnessed the difference in size of the log files. I don't remember if 1) it didn't actually show the username information, or 2) that it didn't do it soon enough that I could allow the log file to continue growing at that rate - the events in question for my situation do not happen frequently enough with a 10 minute period to log it responsibly. That said, if it had given me the information I had needed, I would've used it to solve that issue, and others that have been added to the list since then, so my testing did not yield a useful result. I was kind of hoping that someone would say "yes, verbose will show you the username used during SMTP authentication" and an instruction on how to do that effectively and responsibly - I didn't feel this was done in this post previously - maybe I'm wrong there. If there is a more targeted implementation of "turn on verbose" that would be more useful, and less impactful to the system, I was hoping someone would know that as well. And maybe there are different ways to implement"verbose" logging in postfix than the one that I found and tried. I'm not savy enough about postfix to know that, and my digging online didn't seem to turn up any concrete or finessed examples that yielded me the information i was seeking.
Not saying "verbose" isn't the answer, but from a practical standpoint, it's not a solution for long-term problem solving, and could create more of a problem than just allowing the problematic login attempts to continue.
Thanks.

 

Internet Search Engines find this (was first entry):
https://serverfault.com/questions/2...ication-failed-ugfzc3dvcmq6-find-the-username

 

thank you. it wasn't the first result for me, but glad you found it.
i'll give it a try.