efa-project.org

Can I ignore these errors? Or is there something wrong on the server?

Apr 14 17:29:47 mailscanner postfix/smtpd[24207]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24209]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24330]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[25017]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure

Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.

or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.

That is a really good idea

ovizii wrote: ↑24 Apr 2017 13:23 or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.

ovizii,

Have you implemented this? If so, can you write up some notes on how to do this? This will also have the nice side effect of blocking spammers.

Much appreciated!

sure, I'll try from memory:

yum install fail2ban

then cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

edit jail.local and adapt to your needs. remove anything you don't change. Mine looks like this:
check the results by looking at the iptables:

or tailing the log live: I also had to edit: /etc/fail2ban/filter.d/postfix-rbl.conf
and add the second line to the failregex: please give me feedback if this works for you or if you spot a mistake.

*rubs hands gleefully*

excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.

I'd be really happy to get feedback in general and particularly to the findtime / bantime I chose. Those might not be the best choices and I'll be glad to hear about someone else's logic and values.

pdwalker wrote: ↑25 Apr 2017 19:07 *rubs hands gleefully*

excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.

And, does it works perfectly?

just started working on it... I'll let you know.

btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.

so this is the global action: action = %(action_)s

and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.

ovizii wrote: ↑26 Apr 2017 08:36 btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.

so this is the global action: action = %(action_)s

and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.

To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).

Maybe you can add this to:

http://www.fail2ban.org/wiki/index.php/Talk:Postfix

BliXem wrote: ↑26 Apr 2017 08:38 To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).

as I said above: copy jail.conf to jail.local then edit jail.local and delete everything you don't change. here is mine: https://transfer.sh/5XAfY/jail.local or https://pastebin.com/jn8K6Ztw

Thank's

To permanently ban an ip you can use this option:

bantime = -1
findtime = 604800

I use a long findtime to prevent some servers for blacklisted

[root@efa mailscanner]# yum install fail2ban
[root@efa mailscanner]# cp jail.conf jail.local
vi jail.local # and edit according to needs.

I disabled the postfix and postfix-rbl jails, but I enabled the postfix-sasl jail (viewtopic.php?p=7469#p7469)

Seems to be working, all my sasl authentication failures have basically disappeared.

And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.

wilbourne wrote: ↑26 Apr 2017 09:31 Thank's

To permanently ban an ip you can use this option:

bantime = -1
findtime = 604800

I use a long findtime to prevent some servers for blacklisted

I don't think permanent bans are a good idea.

pdwalker wrote: ↑26 Apr 2017 10:29 And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.

You're right. What I did was use the action which sends emails for every ban and monitored this very closely. After having no false positives I enabled postfix-rbl but as you said, your mileage may vary

shawniverson wrote: ↑15 Apr 2017 15:54 Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.

Hi,

which is the best way to do it?

!!!ATTENTION!!!

Whoever copied my sample config from https://pastebin.com/jn8K6Ztw please go edit your config and replace my email address with yours. I keep receiving emails for someone else's fail2ban installation

I'm not naming the sender here as to not embarrass anyone and I have edited the pastebin sample and removed my email from there too

Good luck!

pdwalker wrote: ↑06 Dec 2017 07:19

Good luck!

no luck. still getting those pesky emails

I can send my alerts to you?

shawniverson wrote: ↑29 Jan 2020 11:37 I can send my alerts to you?

Please don't do that.
I learned a very valuable lesson to double check my posted snippets before publicly submitting them.

*facepalm*

I feel your pain.