[CentOS] Auth failure messages

Wed Oct 18 14:18:36 UTC 2017
Paul Heinlein <heinlein at madboa.com>

On Tue, 17 Oct 2017, david wrote:

> Folks
> I am using sendmail as my mail server.  SELINUX is disabled.
> I observe messages in Centos 7 (and 6) in /var/log/messages, similar to:
> saslauthd[2765]: do_auth         : auth failure: [user=bettie] [service=smtp] 
> [realm=] [mech=pam] [reason=PAM auth error]
> I guess that this is because somebody tried to access one of the SMTP ports 
> with a logon attempt.  This is understandable; there are crackers out there. 
> I'd like to block SMTP completely from the originating sender (by dropping 
> the IP packets), but don't know how to figure out what the IP address is.  I 
> don't see anything in the "maillog" that, for example, has the name "bettie" 
> or some other clue.  The only thing I see is a message like
> sendmail[5452]: v9HIoBox005452: [xxx.xxx.xxx.xxx] did not issue 
> MAIL/EXPN/VRFY/ETRN during connection to MTA
> with a close timestamp, but I'm reluctant to tie the two log entries 
> together.
> Is there some log, or log setting that might enable me to tie the do_auth 
> error to a specific IP address?  I'm very reluctant to change mail servers to 
> postfix or something like that.

The default sendmail LogLevel is 9, but if you bump it to 10 sendmail 
will log the remote IP address associated with auth failures. In your 
sendmail.mc file, set

define(`confLOG_LEVEL', `10')

Or, if you manually edit sendmail.cf (<shudder/>), then add

O LogLevel=10

You'll send up with mail log messages that correspond to the saslauthd 
failures you've noted:

2017-10-17T10:42:39.099125-04:00 mightymite sendmail[7240]: 
v9HEgTgp597220: AUTH failure (LOGIN): authentication failure (-13)
SASL(-13): authentication failure: checkpass failed, 

Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W