Hi,
My main mail server is running CentOS 7 with Postfix and Dovecot.
Last week I was surprised to see that Postfix had some troubles on this machine, according to Icinga. I took a peek at the logs:
# journalctl -p err Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication mechanisms ...
And in /var/log/maillog I found a tsunami of these:
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning: unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from unknown[45.227.253.115] Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from unknown[45.227.253.115]
My first reaction was to manually ban the IP addresses / networks which caused the flood, using my firewall:
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='45.227.253.0/24' reject" # firewall-cmd --reload
I'm already using fail2ban in conjunction with firewalld to prevent brute force SSH attacks.
Q: can I use it in a similar configuration to stop Postfix from getting flooded and brought down to its knees?
Thanks & cheers from the sunny South of France,
Niki
I'm pretty sure I encountered this and needed to yum install cyrus-sasl-plain to resolve it.
On 29 Mar 2021, at 20:31, Nicolas Kovacs info@microlinux.fr wrote:
Hi,
My main mail server is running CentOS 7 with Postfix and Dovecot.
Last week I was surprised to see that Postfix had some troubles on this machine, according to Icinga. I took a peek at the logs:
# journalctl -p err Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication mechanisms ...
And in /var/log/maillog I found a tsunami of these:
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning: unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from unknown[45.227.253.115] Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from unknown[45.227.253.115]
My first reaction was to manually ban the IP addresses / networks which caused the flood, using my firewall:
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='45.227.253.0/24' reject" # firewall-cmd --reload
I'm already using fail2ban in conjunction with firewalld to prevent brute force SSH attacks.
Q: can I use it in a similar configuration to stop Postfix from getting flooded and brought down to its knees?
Thanks & cheers from the sunny South of France,
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Sorry, re-read your question and realise my suggestion would only help you get SASL authentication working.
On 31 Mar 2021, at 09:19, Jamie Burchell mail@jamieburchell.com wrote:
I'm pretty sure I encountered this and needed to yum install cyrus-sasl-plain to resolve it.
On 29 Mar 2021, at 20:31, Nicolas Kovacs info@microlinux.fr wrote:
Hi,
My main mail server is running CentOS 7 with Postfix and Dovecot.
Last week I was surprised to see that Postfix had some troubles on this machine, according to Icinga. I took a peek at the logs:
# journalctl -p err Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication mechanisms ...
And in /var/log/maillog I found a tsunami of these:
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning: unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from unknown[45.227.253.115] Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from unknown[45.227.253.115]
My first reaction was to manually ban the IP addresses / networks which caused the flood, using my firewall:
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='45.227.253.0/24' reject" # firewall-cmd --reload
I'm already using fail2ban in conjunction with firewalld to prevent brute force SSH attacks.
Q: can I use it in a similar configuration to stop Postfix from getting flooded and brought down to its knees?
Thanks & cheers from the sunny South of France,
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hello NIki,
Juste enable postfix-sasl in jail.conf:
[postfix-sasl]
filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s enabled = true maxretry = 3 findtime = 172800 bantime = 3600
And enable recidive too:
[recidive]
logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1mo findtime = 1w enabled = true
Add ignoreip = 127.0.0.1 and your jumpoints :)
Regards, DH
po 29. 3. 2021 v 21:31 odesílatel Nicolas Kovacs info@microlinux.fr napsal:
Hi,
My main mail server is running CentOS 7 with Postfix and Dovecot.
Last week I was surprised to see that Postfix had some troubles on this machine, according to Icinga. I took a peek at the logs:
# journalctl -p err Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication mechanisms Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication mechanisms ...
And in /var/log/maillog I found a tsunami of these:
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning: unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from unknown[45.227.253.115] Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from unknown[45.227.253.115]
My first reaction was to manually ban the IP addresses / networks which caused the flood, using my firewall:
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='45.227.253.0/24' reject" # firewall-cmd --reload
I'm already using fail2ban in conjunction with firewalld to prevent brute force SSH attacks.
Q: can I use it in a similar configuration to stop Postfix from getting flooded and brought down to its knees?
Thanks & cheers from the sunny South of France,
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos