On Fri, Jun 12, 2015 at 12:07:15PM -0400, Forrest wrote:
> >>My server advertises (EHLO):
> >>
> >>250-PIPELINING
> >>250-SIZE [ omitted ]
> >>250-ETRN
> >>250-STARTTLS
> >>250-ENHANCEDSTATUSCODES
> >>250 8BITMIME
> >
> >No SASL AUTH there.
>
> Hm. Interesting, thanks for pointing that obvious thing out :) I have the
> following:
>
> # SASL
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = mydomain.com
> smtpd_sasl_path = smtpd
And likely also:
smtpd_tls_auth_only = yes
which disables SASL AUTH for cleartext connections, and perhaps
even master.cf overrides that disable it for port 25, if you don't
need SASL support there at all.
> With regard to logging, perhaps you're correct that Sendmail wasn't as
> verbose. But, it did log things and I don't recall seeing these issues
> before.
There is no "issue". You're just confusing yourself.
* Botnets are trying SASL logins (as they surely did before),
mostly without TLS.
* Your server refuses SASL logins in cleartext, so there's no
dictionary attack.
* Postfix has more informative logs than Sendmail. This is a
feature, not a bug.
* That information can raise questions that would not be
asked were the logs less informative.
If you think clearly about what the logs mean, there's nothing to
do or worry about.
Attempts to dictionary attack weak passwords are refused, by
virtue of the fact that all SASL AUTH attempts are refused.
Case closed.
Just make sure the "attackers" in question are not legitimate users
trying to use port 25 in cleartext for submission.
--
Viktor.
