Postfix sasl log "SASL LOGIN authentication failed:"

Hi all :

I find the maillog always show "SASL LOGIN authentication failed: UGFzc3dvcmQ6"
How can I change conf file to show the failure user name

Thanks

 

You should not change config file but log template.

 

If I don't change config, how can I know the user name of SASL login failed?

Thanks

 

But the problem, when I go to see maillog, I don't know who is "UGFzc3dvcmQ6" this is encrypt
So how can make maillog can show plain user name ?

 

I

Hi all :

I'm follow the below link to setup
https://www.howtoforge.com/tutorial...l-php-pureftpd-postfix-dovecot-and-ispconfig/

I think the maillog come from postfix+Dovecot, if the spammer try to hack the account, the maillog will show
postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
My question is, how to show the user name for this SASL LOGIN authentication failed: UGFzc3dvcmQ6
E.g. how to show
postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed for user name : [email protected]
but not UGFzc3dvcmQ6

Thanks all support

 

SASL LOGIN authentication failed != hacked

 

Hi all :

Thanks for you help, I will try to modify dovecot, it is useful to show user name. As we can know which email account are in high risk and let me to do more step to prevent hacker try to hack password

Thanks

 

SASL LOGIN authentication failed != hacked
but it indicate some guest try to connect our smtp server to send spam email, but the password is wrong will cause
postfix/smtpd[6942]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

 

I'm getting this message in the log now. You say it means "hacked!" Below, someone says, it indicates a failed attempt to send spam (wrong password).
Question: What is the recommended action?

 

David, != is technical language for "does not equal", so in this case, the SASL LOGIN authentication failed message doesn't mean the account has been hacked. It simply means a wrong username / password has been used. It could be a brute-force hack attempt, but it's not getting through.

 

Hi
Ok. this thread is a little older now, but I would recommend to configure fail2ban to handle sasl login failures.

 

I use fail2ban, but can't even achive to log the mentioned encoded string in postfix. I can log the sasl sql query separately, but it's not a good solution because I can't surely link the failure log to the query.
my postfix just logs: postfix/smtpd[xxxx]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed: authentication failure
Any solution since then?

 

Hi
I think the following steps should help to use fail2ban:
First create a file /etc/fail2ban/jail.d/postfix-sasl.conf with the following content:

Code:

[sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 5

and a second file /etc/fail2ban/filter.d/postfix-sasl.conf:

Code:

# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

Then just restart fail2ban:

Code:

systemctl restart fail2ban

After that the list of banned IPs should fill up quite fast ;-)

regards
Bernd

 

Thanks, but the the problem is with postfix not logging SASL failed username

 

I don't understand that? In your post above you have a perfectly fine log line which will be found by the posted code

 

and why is that a problem?

this does not include the username, encrypted or otherwise, 'UGFzc3dvcmQ6' unencrypted is 'Password'

all this log entry is showing you is that someone tried to log in with incorrect details, they could have used any username, the username doesn't have to (and probably doesn't actually) exist on your system.
similarly, it doesn't help you even if you know what the username they're trying is, they're just trying to brute force any username they think is likely to exist. knowing they're trying to brute force [email protected] doesn't help you.
what helps is knowing the ip address they're trying to do this from, and banning it if it makes repeated attempts to login, which is what the bit of fail2ban configuration posted above will do for you.

 

If I knew the username I could set more aggressive firewall beahvior when one IP probing different usernames. I could be sure it is not a regular user trying to login.

 

they'll most likely have already been banned due to too many failed logins trying different passwords for the same username.

whilst basing bans on different usernames being used from the same ip runs the risk of banning legitimate users connecting to email from an office, or one user trying to access different mailboxes on different domains because they don't want them all going into one mailbox, or don't know how to have them all go into one mailbox.

if you want to be more aggressive with this sort of thing, you can decrease the maxretry level, or increase the time period for maxretries can be reached, and increase the bantime for that jail.
you can also create jail loops, so if an ip has been banned already today, if it gets banned again, the ban time is doubled, you can set it so if it's banned eg 3 times in a day, it gets banned for 24 hours, if it gets banned 3 times within a week, it gets banned for a week, or if it gets 5 24 hour bans within a fortnight, it gets banned for 6 months.


if you turn on verbose logging, or debug logging, if you have a lot of mailusers, you're going to end up with massive log files.
you could be looking at 10's of Gb's of mail logs each day.
I don't know what it's like where you are, but in the uk, if you're providing an email service to customers, you're legally required to keep records of all mail transactions for at least a year.. even zipping the mail logs up, that's a lot of disk space spent on storing old log files.