SASL LOGIN authentication failed

General eFa discussion
Post Reply
BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

SASL LOGIN authentication failed

Post by BliXem »

Can I ignore these errors? Or is there something wrong on the server?

Apr 14 17:29:47 mailscanner postfix/smtpd[24207]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24209]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24330]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[25017]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SASL LOGIN authentication failed

Post by shawniverson »

Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication ;-)
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SASL LOGIN authentication failed

Post by shawniverson »

That is a really good idea :D
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

ovizii wrote: 24 Apr 2017 13:23 or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication ;-)
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.
ovizii,

Have you implemented this? If so, can you write up some notes on how to do this? This will also have the nice side effect of blocking spammers.

Much appreciated!
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

sure, I'll try from memory:

yum install fail2ban

then cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

edit jail.local and adapt to your needs. remove anything you don't change. Mine looks like this:

Code: Select all

[INCLUDES]

before = paths-fedora.conf

[DEFAULT]

ignoreip = 127.0.0.1/8

# 86400 = 24h
bantime  = 43200

# 43200 = 12h
findtime  = 86400

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

usedns = no
enabled = false
destemail = fail2ban@localhost
sender = fail2ban
mta = mail
banaction = iptables-multiport
banaction_allports = iptables-allports

#disabled the action with _MWL as that sends out emails :-/
#action = %(action_mwl)s
action = %(action_)s

[postfix]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s


[postfix-rbl]
enabled = true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

[postfix-sasl]
enabled = true
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

#You might want to enable recidive too by changing false to true below? 

[recidive]
enabled = false
logpath  = /var/log/messages
banaction = %(banaction_allports)s
bantime  = 604800  ; 1 week
findtime = 259200 ; 3 days
maxretry = 5
action = %(action_mwl)s
check the results by looking at the iptables:

Code: Select all

iptables -nvL --line-numbers | more


or tailing the log live:

Code: Select all

tail -f /var/log/messages | grep fail2ban
I also had to edit: /etc/fail2ban/filter.d/postfix-rbl.conf
and add the second line to the failregex:

Code: Select all

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

please give me feedback if this works for you or if you spot a mistake.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

*rubs hands gleefully*

excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

I'd be really happy to get feedback in general and particularly to the findtime / bantime I chose. Those might not be the best choices and I'll be glad to hear about someone else's logic and values.
BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: SASL LOGIN authentication failed

Post by BliXem »

pdwalker wrote: 25 Apr 2017 19:07 *rubs hands gleefully*

excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.
And, does it works perfectly?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

just started working on it... I'll let you know.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.

so this is the global action: action = %(action_)s

and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.
BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: SASL LOGIN authentication failed

Post by BliXem »

ovizii wrote: 26 Apr 2017 08:36 btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.

so this is the global action: action = %(action_)s

and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.
To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).
BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: SASL LOGIN authentication failed

Post by BliXem »

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

BliXem wrote: 26 Apr 2017 08:38 To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).
as I said above: copy jail.conf to jail.local then edit jail.local and delete everything you don't change. here is mine: https://transfer.sh/5XAfY/jail.local or https://pastebin.com/jn8K6Ztw
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: SASL LOGIN authentication failed

Post by wilbourne »

Thank's :clap:

To permanently ban an ip you can use this option:

bantime = -1
findtime = 604800

I use a long findtime to prevent some servers for blacklisted
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

[root@efa mailscanner]# yum install fail2ban
[root@efa mailscanner]# cp jail.conf jail.local
vi jail.local # and edit according to needs.

I disabled the postfix and postfix-rbl jails, but I enabled the postfix-sasl jail (viewtopic.php?p=7469#p7469)

Seems to be working, all my sasl authentication failures have basically disappeared.

And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

wilbourne wrote: 26 Apr 2017 09:31 Thank's :clap:

To permanently ban an ip you can use this option:

bantime = -1
findtime = 604800

I use a long findtime to prevent some servers for blacklisted
I don't think permanent bans are a good idea.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

pdwalker wrote: 26 Apr 2017 10:29 And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.
You're right. What I did was use the action which sends emails for every ban and monitored this very closely. After having no false positives I enabled postfix-rbl but as you said, your mileage may vary :-)
Gate Array
Posts: 23
Joined: 30 Aug 2017 09:36

Re: SASL LOGIN authentication failed

Post by Gate Array »

shawniverson wrote: 15 Apr 2017 15:54 Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.
Hi,

which is the best way to do it?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

!!!ATTENTION!!!

Whoever copied my sample config from https://pastebin.com/jn8K6Ztw please go edit your config and replace my email address with yours. I keep receiving emails for someone else's fail2ban installation :-)

I'm not naming the sender here as to not embarrass anyone and I have edited the pastebin sample and removed my email from there too :-)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

:D

Good luck!
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

pdwalker wrote: 06 Dec 2017 07:19 :D

Good luck!
no luck. still getting those pesky emails :roll:
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SASL LOGIN authentication failed

Post by shawniverson »

I can send my alerts to you? :roll: :dance: :lol:
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: SASL LOGIN authentication failed

Post by ovizii »

shawniverson wrote: 29 Jan 2020 11:37 I can send my alerts to you? :roll: :dance: :lol:
Please don't do that. :roll:
I learned a very valuable lesson to double check my posted snippets before publicly submitting them.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: SASL LOGIN authentication failed

Post by pdwalker »

*facepalm*

I feel your pain.
Post Reply