Postfix sasl log "SASL LOGIN authentication failed:"

Discussion in 'Installation/Configuration' started by Michaeltc, Jan 9, 2017.

  1. Michaeltc

    Michaeltc New Member

    Hi all :

    I find the maillog always show "SASL LOGIN authentication failed: UGFzc3dvcmQ6"
    How can I change conf file to show the failure user name

    Thanks
     
  2. alisik

    alisik Banned

    You should not change config file but log template.
     
  3. Michaeltc

    Michaeltc New Member

    If I don't change config, how can I know the user name of SASL login failed?

    Thanks
     
  4. Michaeltc

    Michaeltc New Member

    But the problem, when I go to see maillog, I don't know who is "UGFzc3dvcmQ6" this is encrypt
    So how can make maillog can show plain user name ?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to turn on verbose logging to see the details. The exact settings depend on the setup that you use. Which setup do you use on this server?
     
  6. Michaeltc

    Michaeltc New Member

    I
    Hi all :

    I'm follow the below link to setup
    https://www.howtoforge.com/tutorial...l-php-pureftpd-postfix-dovecot-and-ispconfig/

    I think the maillog come from postfix+Dovecot, if the spammer try to hack the account, the maillog will show
    postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    My question is, how to show the user name for this SASL LOGIN authentication failed: UGFzc3dvcmQ6
    E.g. how to show
    postfix/smtpd[5556]: warning: unknown[xx.34.55.xxx]: SASL LOGIN authentication failed for user name : [email protected]
    but not UGFzc3dvcmQ6

    Thanks all support
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi Michael,

    please edit the dovecot.conf file (should be /etc/dovecot/dovecot.conf) and add these two lines to enable verbose logging:

    auth_verbose = yes
    mail_debug = yes

    then restart dovecot. If you get too much verbose output, then just try auth_verbose only.
     
  8. florian030

    florian030 Well-Known Member HowtoForge Supporter

    SASL LOGIN authentication failed != hacked
     
  9. Michaeltc

    Michaeltc New Member

    Hi all :

    Thanks for you help, I will try to modify dovecot, it is useful to show user name. As we can know which email account are in high risk and let me to do more step to prevent hacker try to hack password

    Thanks
     
  10. Michaeltc

    Michaeltc New Member

    SASL LOGIN authentication failed != hacked
    but it indicate some guest try to connect our smtp server to send spam email, but the password is wrong will cause
    postfix/smtpd[6942]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     
    alisik likes this.
  11. David Bucknell

    David Bucknell New Member

    I'm getting this message in the log now. You say it means "hacked!" Below, someone says, it indicates a failed attempt to send spam (wrong password).
    Question: What is the recommended action?
     
  12. tfboy

    tfboy Member

    David, != is technical language for "does not equal", so in this case, the SASL LOGIN authentication failed message doesn't mean the account has been hacked. It simply means a wrong username / password has been used. It could be a brute-force hack attempt, but it's not getting through.
     
  13. Spaetzle

    Spaetzle Member HowtoForge Supporter

    Hi
    Ok. this thread is a little older now, but I would recommend to configure fail2ban to handle sasl login failures.
     
  14. Gabor

    Gabor New Member

    I use fail2ban, but can't even achive to log the mentioned encoded string in postfix. I can log the sasl sql query separately, but it's not a good solution because I can't surely link the failure log to the query.
    my postfix just logs: postfix/smtpd[xxxx]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed: authentication failure
    Any solution since then?
     
  15. Spaetzle

    Spaetzle Member HowtoForge Supporter

    Hi
    I think the following steps should help to use fail2ban:
    First create a file /etc/fail2ban/jail.d/postfix-sasl.conf with the following content:

    Code:
    [sasl]
    enabled  = true
    port     = smtp
    filter   = postfix-sasl
    logpath  = /var/log/mail.log
    maxretry = 5
    and a second file /etc/fail2ban/filter.d/postfix-sasl.conf:

    Code:
    # Fail2Ban filter for postfix authentication failures
    [INCLUDES]
    before = common.conf
    [Definition]
    _daemon = postfix/smtpd
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    Then just restart fail2ban:
    Code:
    systemctl restart fail2ban
    After that the list of banned IPs should fill up quite fast ;-)

    regards
    Bernd
     
    Steini86 likes this.
  16. Gabor

    Gabor New Member

    Thanks, but the the problem is with postfix not logging SASL failed username
     
  17. Steini86

    Steini86 Active Member

    I don't understand that? In your post above you have a perfectly fine log line which will be found by the posted code
     
  18. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    and why is that a problem?
    this does not include the username, encrypted or otherwise, 'UGFzc3dvcmQ6' unencrypted is 'Password'

    all this log entry is showing you is that someone tried to log in with incorrect details, they could have used any username, the username doesn't have to (and probably doesn't actually) exist on your system.
    similarly, it doesn't help you even if you know what the username they're trying is, they're just trying to brute force any username they think is likely to exist. knowing they're trying to brute force [email protected] doesn't help you.
    what helps is knowing the ip address they're trying to do this from, and banning it if it makes repeated attempts to login, which is what the bit of fail2ban configuration posted above will do for you.
     
  19. Gabor

    Gabor New Member

    If I knew the username I could set more aggressive firewall beahvior when one IP probing different usernames. I could be sure it is not a regular user trying to login.
     
  20. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    they'll most likely have already been banned due to too many failed logins trying different passwords for the same username.

    whilst basing bans on different usernames being used from the same ip runs the risk of banning legitimate users connecting to email from an office, or one user trying to access different mailboxes on different domains because they don't want them all going into one mailbox, or don't know how to have them all go into one mailbox.

    if you want to be more aggressive with this sort of thing, you can decrease the maxretry level, or increase the time period for maxretries can be reached, and increase the bantime for that jail.
    you can also create jail loops, so if an ip has been banned already today, if it gets banned again, the ban time is doubled, you can set it so if it's banned eg 3 times in a day, it gets banned for 24 hours, if it gets banned 3 times within a week, it gets banned for a week, or if it gets 5 24 hour bans within a fortnight, it gets banned for 6 months.


    if you turn on verbose logging, or debug logging, if you have a lot of mailusers, you're going to end up with massive log files.
    you could be looking at 10's of Gb's of mail logs each day.
    I don't know what it's like where you are, but in the uk, if you're providing an email service to customers, you're legally required to keep records of all mail transactions for at least a year.. even zipping the mail logs up, that's a lot of disk space spent on storing old log files.
     

Share This Page