From 6f197337401c695f0776a99b6c85d3c06035fe6f Mon Sep 17 00:00:00 2001
From: gilles <gilles@openbsd.org>
Date: Fri, 15 May 2015 07:34:45 +0000
Subject: [PATCH] the code to prevent AUTH PLAIN from logging credentials upon
 authentication failure does not catch the AUTH LOGIN case. rework to use the
 session state rather than using the session command.

spotted by pkern@debian.org
---
 usr.sbin/smtpd/smtp_session.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index c2d8cbeac41..5dd6a585add 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.229 2015/04/19 20:29:12 gilles Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.230 2015/05/15 07:34:45 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1947,9 +1947,17 @@ smtp_reply(struct smtp_session *s, char *fmt, ...)
 			log_info("smtp-in: Bad input on session %016"PRIx64
 			    ": %.*s", s->id, n, buf);
 		}
-		else if (strstr(s->cmd, "AUTH ") == s->cmd) {
+		else if (s->state == STATE_AUTH_INIT) {
 			log_info("smtp-in: Failed command on session %016"PRIx64
-			    ": \"AUTH [...]\" => %.*s", s->id, n, buf);
+			    ": \"AUTH PLAIN (...)\" => %.*s", s->id, n, buf);
+		}
+		else if (s->state == STATE_AUTH_USERNAME) {
+			log_info("smtp-in: Failed command on session %016"PRIx64
+			    ": \"AUTH LOGIN (username)\" => %.*s", s->id, n, buf);
+		}
+		else if (s->state == STATE_AUTH_PASSWORD) {
+			log_info("smtp-in: Failed command on session %016"PRIx64
+			    ": \"AUTH LOGIN (password)\" => %.*s", s->id, n, buf);
 		}
 		else {
 			strnvis(tmp, s->cmd, sizeof tmp, VIS_SAFE | VIS_CSTYLE);
-- 
2.20.1