SASL LOGIN authentication failed

General eFa discussion
Post Reply
BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

SASL LOGIN authentication failed

Post by BliXem » 14 Apr 2017 15:31

Can I ignore these errors? Or is there something wrong on the server?

Apr 14 17:29:47 mailscanner postfix/smtpd[24207]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24209]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24330]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[25017]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure

User avatar
shawniverson
Posts: 2994
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SASL LOGIN authentication failed

Post by shawniverson » 15 Apr 2017 15:54

Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.
Version eFa 4.0.2 now available!

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 24 Apr 2017 13:23

or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication ;-)
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.

User avatar
shawniverson
Posts: 2994
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SASL LOGIN authentication failed

Post by shawniverson » 24 Apr 2017 22:49

That is a really good idea :D
Version eFa 4.0.2 now available!

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 25 Apr 2017 04:14

ovizii wrote:
24 Apr 2017 13:23
or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication ;-)
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.
ovizii,

Have you implemented this? If so, can you write up some notes on how to do this? This will also have the nice side effect of blocking spammers.

Much appreciated!

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 25 Apr 2017 08:46

sure, I'll try from memory:

yum install fail2ban

then cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

edit jail.local and adapt to your needs. remove anything you don't change. Mine looks like this:

Code: Select all

[INCLUDES]

before = paths-fedora.conf

[DEFAULT]

ignoreip = 127.0.0.1/8

# 86400 = 24h
bantime  = 43200

# 43200 = 12h
findtime  = 86400

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

usedns = no
enabled = false
destemail = fail2ban@localhost
sender = fail2ban
mta = mail
banaction = iptables-multiport
banaction_allports = iptables-allports

#disabled the action with _MWL as that sends out emails :-/
#action = %(action_mwl)s
action = %(action_)s

[postfix]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s


[postfix-rbl]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

[postfix-sasl]
enabled = true
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

#You might want to enable recidive too by changing false to true below? 

[recidive]
enabled = false
logpath  = /var/log/messages
banaction = %(banaction_allports)s
bantime  = 604800  ; 1 week
findtime = 259200 ; 3 days
maxretry = 5
action = %(action_mwl)s
check the results by looking at the iptables:

Code: Select all

iptables -nvL --line-numbers | more


or tailing the log live:

Code: Select all

tail -f /var/log/messages | grep fail2ban
I also had to edit: /etc/fail2ban/filter.d/postfix-rbl.conf
and add the second line to the failregex:

Code: Select all

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

please give me feedback if this works for you or if you spot a mistake.

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 25 Apr 2017 19:07

*rubs hands gleefully*

excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 25 Apr 2017 20:31

I'd be really happy to get feedback in general and particularly to the findtime / bantime I chose. Those might not be the best choices and I'll be glad to hear about someone else's logic and values.

BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: SASL LOGIN authentication failed

Post by BliXem » 26 Apr 2017 08:16

pdwalker wrote:
25 Apr 2017 19:07
*rubs hands gleefully*

excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.
And, does it works perfectly?

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 26 Apr 2017 08:23

just started working on it... I'll let you know.

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 26 Apr 2017 08:36

btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.

so this is the global action: action = %(action_)s

and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.

BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: SASL LOGIN authentication failed

Post by BliXem » 26 Apr 2017 08:38

ovizii wrote:
26 Apr 2017 08:36
btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.

so this is the global action: action = %(action_)s

and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.
To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).

BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: SASL LOGIN authentication failed

Post by BliXem » 26 Apr 2017 08:53


ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 26 Apr 2017 09:16

BliXem wrote:
26 Apr 2017 08:38
To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).
as I said above: copy jail.conf to jail.local then edit jail.local and delete everything you don't change. here is mine: https://transfer.sh/5XAfY/jail.local or https://pastebin.com/jn8K6Ztw

wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: SASL LOGIN authentication failed

Post by wilbourne » 26 Apr 2017 09:31

Thank's :clap:

To permanently ban an ip you can use this option:

bantime = -1
findtime = 604800

I use a long findtime to prevent some servers for blacklisted

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 26 Apr 2017 10:29

[root@efa mailscanner]# yum install fail2ban
[root@efa mailscanner]# cp jail.conf jail.local
vi jail.local # and edit according to needs.

I disabled the postfix and postfix-rbl jails, but I enabled the postfix-sasl jail (viewtopic.php?p=7469#p7469)

Seems to be working, all my sasl authentication failures have basically disappeared.

And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 26 Apr 2017 10:30

wilbourne wrote:
26 Apr 2017 09:31
Thank's :clap:

To permanently ban an ip you can use this option:

bantime = -1
findtime = 604800

I use a long findtime to prevent some servers for blacklisted
I don't think permanent bans are a good idea.

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 26 Apr 2017 11:06

pdwalker wrote:
26 Apr 2017 10:29
And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.
You're right. What I did was use the action which sends emails for every ban and monitored this very closely. After having no false positives I enabled postfix-rbl but as you said, your mileage may vary :-)

Gate Array
Posts: 23
Joined: 30 Aug 2017 09:36

Re: SASL LOGIN authentication failed

Post by Gate Array » 04 Sep 2017 10:15

shawniverson wrote:
15 Apr 2017 15:54
Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.
Hi,

which is the best way to do it?

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 05 Dec 2017 13:35

!!!ATTENTION!!!

Whoever copied my sample config from https://pastebin.com/jn8K6Ztw please go edit your config and replace my email address with yours. I keep receiving emails for someone else's fail2ban installation :-)

I'm not naming the sender here as to not embarrass anyone and I have edited the pastebin sample and removed my email from there too :-)

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 06 Dec 2017 07:19

:D

Good luck!

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 29 Jan 2020 08:41

pdwalker wrote:
06 Dec 2017 07:19
:D

Good luck!
no luck. still getting those pesky emails :roll:

User avatar
shawniverson
Posts: 2994
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SASL LOGIN authentication failed

Post by shawniverson » 29 Jan 2020 11:37

I can send my alerts to you? :roll: :dance: :lol:
Version eFa 4.0.2 now available!

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii » 29 Jan 2020 11:41

shawniverson wrote:
29 Jan 2020 11:37
I can send my alerts to you? :roll: :dance: :lol:
Please don't do that. :roll:
I learned a very valuable lesson to double check my posted snippets before publicly submitting them.

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker » 03 Feb 2020 03:41

*facepalm*

I feel your pain.

Post Reply