View Single Post
  #1  
Old 6th November 2012, 09:40
thabangk thabangk is offline
Member
 
Join Date: Sep 2009
Posts: 49
Thanks: 0
Thanked 0 Times in 0 Posts
Lightbulb SASL LOGIN authentication failed

Hi All

I have installed ISCConfig 3 on Centos 6.3
with dovecot installed and used the below link for installation :
http://www.howtoforge.com/perfect-se...ispconfig-3-p5
and everything seems to be fine and working but I am more worried about finding something like this in the maillog:

57264:Nov 6 10:02:45 mailserver postfix/smtpd[5198]: warning: unknown[110.52.2.13]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
57270:Nov 6 10:02:53 mailserver postfix/smtpd[5198]: warning: unknown[110.52.2.13]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
57439:Nov 6 10:15:35 mailserver postfix/smtpd[5595]: warning: unknown[115.63.10.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
57446:Nov 6 10:16:02 mailserver postfix/smtpd[5595]: warning: unknown[115.63.10.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
57456:Nov 6 10:16:20 mailserver postfix/smtpd[5595]: warning: unknown[115.63.10.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
57463:Nov 6 10:16:31 mailserver postfix/smtpd[5595]: warning: unknown[115.63.10.43]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
57471:Nov 6 10:16:50 mailserver postfix/smtpd[5595]: warning: unknown[110.52.0.169]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

and i configured fail2ban, it manages to block IP's using postfix but the SASL are not blocked, please see my jail.conf below.
[postfix]

enabled = true
filter = postfix
action = iptables[name=SMTP, port=smtp, protocol=tcp]
sendmail[name=Postfix, dest=name@domain.com]
logpath = /var/log/maillog
maxretry = 2
bantime = 3000000000

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=name@domain.com]
logpath = /var/log/postfix.log
bantime = 3000

[sasl]

enabled = true
port = smtp
filter = sasl
action = iptables[name=SMTP, port=smtp,smtpd, protocol=tcp]
sendmail[name=sasl, dest=name@domain.com]
logpath = /var/log/mail.log
maxretry = 1

I tried all this regular expressions in sasl.conf so that i can block the IP that attempts this login

#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: authentication failure (: [A-Za-z0-9+/]*={0,2})?
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?

but still no luck. can someone please assist.
Reply With Quote
Sponsored Links