Missing postfix-sasl.conf

Discussion in 'Installation/Configuration' started by Pedro A., Nov 23, 2022 at 1:25 PM.

  1. Pedro A.

    Pedro A. New Member

    Hi.
    I noticed so many messages on my server like this: warning: unknown[37.139.128.9]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    I've searching the way to block these logins trough fail2ban and I've found that I should modify the file located at /etc/fail2ban/filter.d/postfix-sasl.conf but it doesn't exist.
    If I do a "fail2ban-client status", I get :
    - Number of jail: 4
    Jail list: dovecot, postfix-sasl, pure-ftpd, sshd
    If I do a "fail2ban-client status postfix-sasl", I get :
    Status for the jail: postfix-sasl
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 0
    | `- File list: /var/log/mail.log
    `- Actions
    |- Currently banned: 0
    |- Total banned: 0
    `- Banned IP list:

    In my jail.local file I've this:
    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix
    logpath = /var/log/mail.log
    maxretry = 3

    Then, following this old post https://forum.howtoforge.com/threads/fail2ban-postfix-sasl-does-not-exist.83720/ I believe I've to create the postfix-sasl.conf and add the code posted there, and modify jail.local and modify the line filter = postfix to filter = postfix[mode=auth].
    This is correct???
    Thanks!
     
  2. pyte

    pyte Active Member HowtoForge Supporter

    You will see this on any public mailserver in the logs, these are stupid bots that try to authenticate but improper. "UGFzc3dvcmQ6" is BASE64 and translates to "Password:".

    In a default ISPConfig 3 installation the jail.local postfix-sasl part reads:
    Code:
    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix[mode=auth]
    logpath = /var/log/mail.log
    maxretry = 3
    
    This seems fine to me.
     
  3. Pedro A.

    Pedro A. New Member

    Hi!
    I've no made any change in my jail.local file but if you check my post there's a difference at line filter = postfix. I haven't [mode=auth].
    I need to add this? I've to create postfix-sasl.conf file??
    Thanks.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Put only
    Code:
    [postfix-sasl]
    enabled = true
    in jail.local. Then it gets the rest from the distribution provided settings.
     
  5. Pedro A.

    Pedro A. New Member

    Hi.
    If I erase from port line to maxretry and only leave enabled = true, then after restarting fail2ban and doing fali2ban-client status postfix-sasl I recieve this:
    |- Filter
    | |- Currently failed: 1
    | |- Total failed: 1
    | `- File list: /var/log/mail.log
    `- Actions
    |- Currently banned: 0
    |- Total banned: 0
    `- Banned IP list:

    Then I believe leaving only this line isn't the solution.
    I repeat: I've to create postfix-sasl.conf file??
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The postfix-sasl.conf comes with fail2ban distribution. If your fail2ban is missing that file, then you have to create it or re-install fail2ban to get all the files.
    Code:
    [email protected]:/etc/fail2ban# ls -lh filter.d/postfix-sasl.conf
    -rw-r--r-- 1 root root 482 maalis 17  2021 filter.d/postfix-sasl.conf
    [email protected]:/etc/fail2ban# 
    Code:
    [email protected]:/etc/fail2ban# cat filter.d/postfix-sasl.conf
    # Fail2Ban filter for postfix authentication failures
    #
    
    [INCLUDES]
    
    before = common.conf
    
    [Definition]
    
    _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
    
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
    
    ignoreregex = authentication failed: Connection lost to authentication server$
    
    [Init]
    
    journalmatch = _SYSTEMD_UNIT=postfix.service
    
    
    # Author: Yaroslav Halchenko
     

Share This Page