Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 9th March 2012, 10:35
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 7 Times in 6 Posts
Exclamation SASL LOGIN authentication failed

Hello!

At time to time I see in mail.log many of this logs:
Code:
Mar  9 09:06:57 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:12 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:30 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:10 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:31 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:50 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:58 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:53 itex postfix/smtpd[5534]: last message repeated 2 times
Mar  9 09:09:53 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:14 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:35 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:48 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:05 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:13 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:23 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:32 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:44 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Where mail.domain.com is domain of my server and 1.2.3.4 is IP of my server.

chkrootkit and rkhunter is clean.

And fail2ban dont recognized it.
jail.conf
Code:
[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
sasl.conf

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
In fail2ban log have this:

Code:
2012-03-09 13:36:52,832 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200


It is normal or something wrong with server security?
I have ISPConfig2 final, Ubuntu 10.04.1 LTS

Thnk you!

Last edited by Captain; 9th March 2012 at 13:41.
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with ISPConfig Mail and Squirrelmail m.xander Installation/Configuration 109 3rd February 2012 01:15
strange fail2ban behaviour > doesn't ban specific IP Djamu Server Operation 2 13th January 2012 03:29
Fail2ban + sasl problem and Solution pititis General 1 2nd March 2011 08:02
Cannot login to SquirrelMail sellotape Installation/Configuration 13 26th October 2010 12:03
Systemimager (rsync) doesn't copy all comedit HOWTO-Related Questions 11 19th January 2007 18:17


All times are GMT +2. The time now is 03:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.