SASL LOGIN authentication failed

Discussion in 'Server Operation' started by LinuxPete, Jan 18, 2011.

  1. LinuxPete

    LinuxPete Member HowtoForge Supporter

    I checked my maillog today and I am getting thousands of "SASL LOGIN authentication failed" from comcast in Seattle.

    postfix/smtpd[29140]: warning: 74-93-110-77-Seattle.hfc.comcastbusiness.net[74.93.110.77]: SASL LOGIN authentication failed:

    I've tried to block that ip with:
    iptables -A INPUT -s 74.93.110.77 -j DROP
    and
    iptables -A INPUT -s 74.93.110.77 -p tcp --destination-port 80 -j DROP

    but I still see login failures.

    I did a google and hfc.comcastbusiness.net is listed in one black list.

    I only have about 5-10 virt email users that I forward any necessary mail.
    So who ever this is should not be trying to get in my system.

    Is there anything else I can do?

    Thanks
    LP
     
  2. Torsson

    Torsson New Member

    I had the same problem but with:

    24-178-116-148.dhcp.thtn.ga.charter.com[24.178.116.148]: SASL LOGIN authentication failed: authentication failure.

    I think we need to put some limitations and block if someone tries to login to many times.
     
  3. falko

    falko Super Moderator ISPConfig Developer

    I suggest that you install fail2ban.
     
  4. Torsson

    Torsson New Member

    Thank you falko. I have now installed fail2ban and activated it on SASL with the following regex "\[<HOST>\]: SASL LOGIN authentication failed: authentication failure".

    And checked the regex with:
    fail2ban-regex /var/log/mail.log "\[<HOST>\]: SASL LOGIN authentication failed: authentication failure" It found 3500 matches so hope that does the trick :).
     
  5. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Thanks it was running on my system but I had it incorrectly configured.
     
  6. LinuxPete

    LinuxPete Member HowtoForge Supporter

    thanks Torsson. I think I've now got it correctly configured and your example help in using it.
     

Share This Page