SASL LOGIN authentication failed
SASL LOGIN authentication failed
Can I ignore these errors? Or is there something wrong on the server?
Apr 14 17:29:47 mailscanner postfix/smtpd[24207]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24209]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24330]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[25017]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24207]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24209]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[24330]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
Apr 14 17:29:47 mailscanner postfix/smtpd[25017]: warning: unknown[64.77.233.90]: SASL LOGIN authentication failed: authentication failure
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SASL LOGIN authentication failed
Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.
Re: SASL LOGIN authentication failed
or better yet, instead of turning off SASL, install fail2ban and block all those spammers who tried authentication
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.
that's what I do as EFA is simply an incoming filter and outgoing relay for my EX so absolutely no authentication happens on EFA.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SASL LOGIN authentication failed
That is a really good idea
Re: SASL LOGIN authentication failed
ovizii,
Have you implemented this? If so, can you write up some notes on how to do this? This will also have the nice side effect of blocking spammers.
Much appreciated!
Re: SASL LOGIN authentication failed
sure, I'll try from memory:
yum install fail2ban
then cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
edit jail.local and adapt to your needs. remove anything you don't change. Mine looks like this:
check the results by looking at the iptables:
or tailing the log live:
I also had to edit: /etc/fail2ban/filter.d/postfix-rbl.conf
and add the second line to the failregex:
please give me feedback if this works for you or if you spot a mistake.
yum install fail2ban
then cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
edit jail.local and adapt to your needs. remove anything you don't change. Mine looks like this:
Code: Select all
[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
# 86400 = 24h
bantime = 43200
# 43200 = 12h
findtime = 86400
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
usedns = no
enabled = false
destemail = fail2ban@localhost
sender = fail2ban
mta = mail
banaction = iptables-multiport
banaction_allports = iptables-allports
#disabled the action with _MWL as that sends out emails :-/
#action = %(action_mwl)s
action = %(action_)s
[postfix]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(postfix_log)s
backend = %(postfix_backend)s
#You might want to enable recidive too by changing false to true below?
[recidive]
enabled = false
logpath = /var/log/messages
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 259200 ; 3 days
maxretry = 5
action = %(action_mwl)s
Code: Select all
iptables -nvL --line-numbers | more
or tailing the log live:
Code: Select all
tail -f /var/log/messages | grep fail2ban
and add the second line to the failregex:
Code: Select all
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
Re: SASL LOGIN authentication failed
*rubs hands gleefully*
excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.
excellent! I'll test this in the morning. yet another customization to challenge the upgrade process.
Re: SASL LOGIN authentication failed
I'd be really happy to get feedback in general and particularly to the findtime / bantime I chose. Those might not be the best choices and I'll be glad to hear about someone else's logic and values.
Re: SASL LOGIN authentication failed
just started working on it... I'll let you know.
Re: SASL LOGIN authentication failed
btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.
so this is the global action: action = %(action_)s
and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.
so this is the global action: action = %(action_)s
and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.
Re: SASL LOGIN authentication failed
To make this easy for me and maybe for others, you should copy your configuration for us with your editted rule(s).ovizii wrote: ↑26 Apr 2017 08:36 btw. in my above configuration, I have set this action globally, unless a more specific action is defined for a jail.
so this is the global action: action = %(action_)s
and for the recidive jail I specified a different one: action = %(action_mwl)s which sends out emails about each blocked IP.
Re: SASL LOGIN authentication failed
as I said above: copy jail.conf to jail.local then edit jail.local and delete everything you don't change. here is mine: https://transfer.sh/5XAfY/jail.local or https://pastebin.com/jn8K6Ztw
Re: SASL LOGIN authentication failed
Thank's
To permanently ban an ip you can use this option:
bantime = -1
findtime = 604800
I use a long findtime to prevent some servers for blacklisted
To permanently ban an ip you can use this option:
bantime = -1
findtime = 604800
I use a long findtime to prevent some servers for blacklisted
Re: SASL LOGIN authentication failed
[root@efa mailscanner]# yum install fail2ban
[root@efa mailscanner]# cp jail.conf jail.local
vi jail.local # and edit according to needs.
I disabled the postfix and postfix-rbl jails, but I enabled the postfix-sasl jail (viewtopic.php?p=7469#p7469)
Seems to be working, all my sasl authentication failures have basically disappeared.
And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.
[root@efa mailscanner]# cp jail.conf jail.local
vi jail.local # and edit according to needs.
I disabled the postfix and postfix-rbl jails, but I enabled the postfix-sasl jail (viewtopic.php?p=7469#p7469)
Seems to be working, all my sasl authentication failures have basically disappeared.
And the reason I disabled the postfix and postfix-rbl fail2ban jails is most of our mail comes through the messagelabs Antivirus/Antispam filtering service. The service still lets some spam through, and the fail2pan postfix/postfix-rbl rules starts blocking it.
Re: SASL LOGIN authentication failed
You're right. What I did was use the action which sends emails for every ban and monitored this very closely. After having no false positives I enabled postfix-rbl but as you said, your mileage may vary
-
- Posts: 23
- Joined: 30 Aug 2017 09:36
Re: SASL LOGIN authentication failed
Hi,shawniverson wrote: ↑15 Apr 2017 15:54 Means someone attempted to login using SASL on SMTP is all. If you don't use SASL, you can safely turn off SASL Auth to suppress these.
which is the best way to do it?
Re: SASL LOGIN authentication failed
!!!ATTENTION!!!
Whoever copied my sample config from https://pastebin.com/jn8K6Ztw please go edit your config and replace my email address with yours. I keep receiving emails for someone else's fail2ban installation
I'm not naming the sender here as to not embarrass anyone and I have edited the pastebin sample and removed my email from there too
Whoever copied my sample config from https://pastebin.com/jn8K6Ztw please go edit your config and replace my email address with yours. I keep receiving emails for someone else's fail2ban installation
I'm not naming the sender here as to not embarrass anyone and I have edited the pastebin sample and removed my email from there too
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SASL LOGIN authentication failed
I can send my alerts to you?
Re: SASL LOGIN authentication failed
Please don't do that.
I learned a very valuable lesson to double check my posted snippets before publicly submitting them.
Re: SASL LOGIN authentication failed
*facepalm*
I feel your pain.
I feel your pain.