I see this in the logs, 24/7, obviously spammers trying to get into our zimbra 8.8.11 servers, I guess doing some kind of dictionary attack.
Is SASL related to POPS and/or IMAPS which are all that we really allow? We only have a handful of accounts on the server, mainly for outgoing mail, notifications from a service we offer.
If SASL is not related, can it be disabled and is it worth doing so since this is the only non stop attempt that I see in the logs
.
Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: unknown[113.172.116.1]: SASL PLAIN authentication failed: authentication failure Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: unknown[220.156.174.161]: SASL PLAIN authentication failed: authentication failure Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure
we are using csf (configserver.com) as local firewall.
Zimbra is running on Ubuntu 16.04
Please follow the firewall’s documentation in order to properly install it.
TEST before, not to lock tourself out!
1) edit /etc/csf/csf.conf and set the following constant (it is almost at the end of configuration file)
CUSTOM2_LOG = "/var/log/maillog"
edit /etc/csf/regex.custom.pm and somewhere before the line that states “# Do not edit beyond this point” add
# log SASL auth if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL LOGIN authentication failed/)) { return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1"); }
Restart csf with
csf -r
Restart lfd with
service lfd restart
if you have CentOS 7+
systemctl restart lfd
Similar Posts:
- Zimbra reports “ Error: Queue report unavailable – mail system is down ”
- How to free up disk space on Zimbra server
- how to change Zimbra OCS ip address
- How to disable Antivirus and antispam filter in zimbra
- How to Disable / Enable service in Zimbra Mail Server