1

Topic: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Hi,
We are getting a lot of annoying "warning: unknown[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6" probably from spammers.

Is there an easy way to block this with fail2ban?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.

2

Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Fail2ban is configured to ban such client with jail /etc/fail2ban/jail.d/postfix.local.

3 (edited by laboratorio 2022-08-17 17:11:32)

Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6

ZhangHuangbin wrote:

Fail2ban is configured to ban such client with jail /etc/fail2ban/jail.d/postfix.local.

I'm afraid something is not working as it should. It looks like this:

Status for the jail: postfix
|- Filter
|  |- Currently failed: 30
|  |- Total failed:     1315
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

----------------------------------------
postfix.local

[postfix]
backend     = polling
journalmatch=
enabled     = true
filter      = postfix.iredmail
logpath     = /var/log/maillog
action      = iptables-multiport[name=postfix, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]
              banned_db[name=postfix, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]
              sendmail-whois[name=postfix, dest=root@example.com, sender=fail2ban@example.com]

4

Re: SASL LOGIN authentication failed: UGFzc3dvcmQ6

iptables was dropped some time ago, iredmail uses nftables instead (which is common for any debian higher than 9.0)

aswell, seems that you have an own implementation since banned_db needs an API token and sendmail-whois is not configured by default