1

Topic: Sasl authentication failures to fail2ban

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Debian 11.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have plenty of sasl auth failures from many ips;

Feb 10 12:47:37 mail postfix/submission/smtpd[2922253]: warning: unknown[192.72.5.192]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 12:50:46 mail postfix/submission/smtpd[2922375]: warning: unknown[5.101.129.104]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 12:51:34 mail postfix/submission/smtpd[2922375]: warning: unknown[45.119.30.213]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 12:52:46 mail postfix/submission/smtpd[2922375]: warning: unknown[122.165.141.16]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 12:53:13 mail postfix/submission/smtpd[2922375]: warning: unknown[177.135.223.185]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 13:01:36 mail postfix/submission/smtpd[2922648]: warning: unknown[185.41.110.40]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 13:01:57 mail postfix/submission/smtpd[2922648]: warning: unknown[122.170.5.197]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 13:02:17 mail postfix/submission/smtpd[2922648]: warning: unknown[45.14.165.137]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 13:03:37 mail postfix/submission/smtpd[2922648]: warning: unknown[141.98.11.144]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 10 13:05:46 mail postfix/submission/smtpd[2922648]: warning: unknown[58.216.101.162]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

I have no user like that and I would like to block that ips. Is this possilbe with fail2ban?

fail2ban works for postfix:
Status for the jail: postfix
|- Filter
|  |- Currently failed: 51
|  |- Total failed:     441132
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1382
   `- Banned IP list:   46.41.134.164

Do I have to do anything else or it's just immpossible to block such of actions?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Sasl authentication failures to fail2ban

Fail2ban is configured to catch this failure, so it should block the IP with default Fail2ban configuration generated by iRedMail installer.

Note: all IP addresses are unique in your pasted log, but fail2ban requires multiple failures from same IP in certain period.

3

Re: Sasl authentication failures to fail2ban

Thanks for answer.
Is there any way to block per SASL LOGIN - in magical or non magical way?

4

Re: Sasl authentication failures to fail2ban

you want to block after a single fail?

5

Re: Sasl authentication failures to fail2ban

Cthulhu wrote:

you want to block after a single fail?

No, as You can see there is lot of same failures with same username. It could be after let say 5 ;-)

6 (edited by Cthulhu 2023-03-24 05:22:50)

Re: Sasl authentication failures to fail2ban

That is not the username:

UGFzc3dvcmQ6 = base64(Password:)

Postfix itself does not include a SASL implementation. Traditionally, it was hooked up to Cyrus SASL, but you are using the Dovecot POP/IMAP server, so Postfix can reuse its SASL module.

Dovecot has its own debugging facility, enabled in its config file with:

auth_verbose = yes

While there is no host-based control here, there are a number of related options to control what gets logged, specifically whether or not to include the attempted passwords.

# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
auth_verbose_passwords = yes

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
auth_debug = no

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = no

With those changes, you could create a new fail2ban filter that triggers when someone trys to login with a specified password.

The logging will be done to

/var/log/dovecot/dovecot.log

Example of an entry:

Mar 23 21:34:26 mail dovecot: auth-worker(24790): sql(test@domain.tld,46.114.3.47,<x5/qM5f3v5EucgMv>): Password mismatch (given password: foobar)

An example filter (for banning a breached password, in this case password = foobar ) could be:

[Definition]
failregex = auth-worker.*,<HOST>,.* Password mismatch .*given password: foobar.*


ignoreregex =

BUT:
This requires to modify the fail2ban filter each time with the new tried passwords

I can only suggest this solution, if you know that a mailaccount got breached and block any further failed login attempts with the breached password

I hope this solution fits your needs

If you wish, i can give you the example config files for fail2ban

7

Re: Sasl authentication failures to fail2ban

tasia wrote:

Is there any way to block per SASL LOGIN - in magical or non magical way?

Note: even your legit end users may cause SASL LOGIN failures, blocking the client for first failure might be too strict and cause yourself more workload (like receiving phone calls from end users).

Instead, please force all end users to use strong passwords. A weak password is the weakest part of email server.

8 (edited by evenmoreconfused 2024-05-14 05:17:36)

Re: Sasl authentication failures to fail2ban

I came across this thread while "searching before posting" when working on something similar.

I'm confused because several places on the web specifically talk about a predefined jail in fail2ban called "postfix-sasl" (not "postfix", which is different). They seem to imply that if it's just enabled, postfix will catch these doorknockers and ban them.

As we all know, fail2ban in iRedMail enables six jails:

[root@elm jail.d]# fail2ban-client status
Status
|- Number of jail:      6
`- Jail list:   dovecot, nginx-http-auth, postfix, pregreet, roundcube, sshd

But I note postfix-sasl isn't enabled. Has anyone just tried enabling it?

9 (edited by evenmoreconfused 2024-05-14 05:21:23)

Re: Sasl authentication failures to fail2ban

Update: I see it's not one of the predefined filters in an iRedMail install (i.e. it's not in /etc/fail2ban/filter.d).

I'll look around for more info.

10

Re: Sasl authentication failures to fail2ban

Feel free to create a jail with the "postfix-sasl" filter yourself.