How to block SASL login attacks in zimbra using csf

I see this in the logs, 24/7, obviously spammers trying to get into our zimbra 8.8.11 servers, I guess doing some kind of dictionary attack.
Is SASL related to POPS and/or IMAPS which are all that we really allow? We only have a handful of accounts on the server, mainly for outgoing mail, notifications from a service we offer.

If SASL is not related, can it be disabled and is it worth doing so since this is the only non stop attempt that I see in the logs

Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: unknown[113.172.116.1]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: unknown[220.156.174.161]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure

we are using csf (configserver.com) as local firewall.
Zimbra is running on Ubuntu 16.04

Please follow the firewall’s documentation in order to properly install it.
TEST before, not to lock tourself out!

1) edit /etc/csf/csf.conf and set the following constant (it is almost at the end of configuration file)

CUSTOM2_LOG = "/var/log/maillog"

edit /etc/csf/regex.custom.pm and somewhere before the line that states “# Do not edit beyond this point” add

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL LOGIN authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");
}

Restart csf with

csf -r

Restart lfd with

service lfd restart

if you have CentOS 7+

systemctl restart lfd

Similar Posts: