I have been receiving dozens of these messages in my /var/log/auth.log:
Jan 27 19:06:03 myserver saslauthd[2155]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:07 myserver saslauthd[2158]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 27 19:06:09 myserver saslauthd[2158]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:13 myserver saslauthd[2157]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 27 19:06:15 myserver saslauthd[2157]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:19 myserver saslauthd[2154]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
Jan 27 19:06:21 myserver saslauthd[2154]: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:25 myserver saslauthd[2156]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
Jan 27 19:06:27 myserver saslauthd[2156]: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Corresponding messages in my syslog look like this:
Jan 28 06:26:45 myserver sm-mta[18977]: t0RJLeYI018977: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:26:51 myserver sm-mta[18978]: t0RJLkcF018978: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:26:57 myserver sm-mta[18979]: t0RJLqEu018979: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:03 myserver sm-mta[18980]: t0RJLwBp018980: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:09 myserver sm-mta[18981]: t0RJM4MU018981: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:15 myserver sm-mta[18982]: t0RJMA8J018982: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:21 myserver sm-mta[18983]: t0RJMGCp018983: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:38:26 myserver sm-mta[18984]: t0RJMMKQ018984: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
I am unable to create a fail2ban rule to block these because the auth.log messages do not contain an IP address.
Relavent configs:
#/etc/mail/sasl/Sendmail.conf.2
pwcheck_method: saslauthd
allowanonymouslogin: 0
allowplaintext: 1
mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
# /etc/mail/
sendmail.mc
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `p,y')dnl
# sendmail -d0.4 -bv root
Version 8.14.4
Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS
MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX
NEWDB NIS NISPLUS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT XDEBUG
Canonical name:
myserver.mydomain.com
UUCP nodename:
myserver.mydomain.com
a.k.a.:
www.mydomain.com
a.k.a.:
mail.mydomain.com
a.k.a.:
mydomain.com
a.k.a.: myserver
a.k.a.: [192.168.0.33]
a.k.a.: [127.0.0.1]
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = myserver
(canonical domain name) $j =
mydomain.com
(subdomain name) $m =
mydomain.com
(node name) $k =
myserver.mydomain.com
========================================================
robert... deliverable: mailer local, user robert
debian 7.7
I realise that there have been a lot of similar posts, but I've never found a solution. I could block the 'did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' lines for a large number of attemts, but I'd probably block legitimate traffic.
Is there a way that I can log the IP address in my auth.log? - This would allow me to write a fail2ban filter.
myserver and my domain are, of course, fictional.