On Fri, Jun 12, 2015 at 11:05:42AM -0400, Forrest wrote:
> My prior config was Sendmail 8 with Cyrus SASL which did not. My guess
> from this log is that AUTH is taking place unencrypted, which may be the
> cause?
Surely dictionary attacks on SASL were also launched against
Sendmail... Was there nothing of the sort in your Sendmail logs?
If so perhaps this is a difference in logging rather than actual
activity.
> My server advertises (EHLO):
>
> 250-PIPELINING
> 250-SIZE [ omitted ]
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250 8BITMIME
No SASL AUTH there.
> Jun 11 15:31:19 mail postfix/smtpd[26189]: connect from
> static-71-250-232-194.nwrknj.east.verizon.net[71.250.232.194]
> Jun 11 15:31:19 mail postfix/smtpd[26189]: lost connection after AUTH from
> static-71-250-232-194.nwrknj.east.verizon.net[71.250.232.194]
This is not a dictionary attack, as SASL is disabled without TLS,
and what you're seeing is that the client gives up after Postfix
rejects the AUTH command (based on non-support for AUTH rather
than an incorrect password guess).
Which means you're just paying a bit too much attention to the
logging, where previously Sendmail might not have logged the last
command before the disconnect.
There's nothing to fix. (Unless you have legitimate SASL users on
port 25 who did not get the memo about moving to port 587 with
STARTTLS or 465 with wrappermode).
--
Viktor.
