Tons of SMTP AUTH failures in logs

2015-08-28 Thread Forrest
I've become used to the script kiddies sending out large connection requests (I do have a threshold set). They are able to get around it by other connections. For example, I had 857 connects of this: Aug 28 11:57:35 mail postfix/smtpd[20544]: connect from unknown[5.232.194.77] Aug 28 11:57:3

Re: Tons of SMTP AUTH failures in logs

2015-08-28 Thread Forrest
On 8/28/15 2:09 PM, Robert Schetterer wrote: Am 28.08.2015 um 20:03 schrieb Forrest: I've become used to the script kiddies sending out large connection requests (I do have a threshold set). They are able to get around it by other connections. For example, I had 857 connects of this: A

Compiling 3.0.1 with Cyrus SASL support not working

2015-06-03 Thread Forrest
I read the README_SASL document. I'm on CentOS 5.x using Cyrus SASL 2.1.22, attempting to get Postfix 3.0.1 to compile in SASL support correctly, using the following flags: # make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" AUXLIBS="-L/usr/lib/sasl -lsasl2"

Compiling 3.0.1 with Cyrus SASL support not working

2015-06-03 Thread Forrest
I managed to fix this on my own; please disregard. Thank you.

SASL AUTH dictionary attacks

2015-06-09 Thread Forrest
I recently updated my system from Sendmail to Postfix 3.0.1. Since that time, I've been targeted with several SASL dictionary attacks; activity I've not seen in this number before. Reading around elsewhere, I wonder if the script kiddies are looking for Postfix in the banner (which I've since

Re: SASL AUTH dictionary attacks

2015-06-09 Thread Forrest
On 6/9/15 1:02 PM, Viktor Dukhovni wrote: On Tue, Jun 09, 2015 at 12:54:51PM -0400, Forrest wrote: I recently updated my system from Sendmail to Postfix 3.0.1. Since that time, I've been targeted with several SASL dictionary attacks; activity I've not seen in this number before. R

Re: SASL AUTH dictionary attacks

2015-06-09 Thread Forrest
On 6/9/15 1:38 PM, Viktor Dukhovni wrote: On Tue, Jun 09, 2015 at 01:23:47PM -0400, Forrest wrote: postfix/smtpd[12345]: warning: unknown[212.156.86.90]: SASL LOGIN authentication failed: authentication failure so I presume that's port 25, as I have submission running as another configur

Re: SASL AUTH dictionary attacks

2015-06-09 Thread Forrest
om unknown[71.19.249.5] for service smtp Thanks, Forrest

Re: SASL AUTH dictionary attacks

2015-06-09 Thread Forrest
On 6/9/15 6:19 PM, Scott Lambert wrote: On Tue, Jun 09, 2015 at 07:23:43PM +, Viktor Dukhovni wrote: On Tue, Jun 09, 2015 at 02:26:20PM -0400, Forrest wrote: So that log entry might be for the submission port, unless you've configured it along the lines above. I believe this is al

SASL and AUTH dictionary attacks

2015-06-12 Thread Forrest
Since upgrading to Postfix, my system is seeing a lot of this activity. My prior config was Sendmail 8 with Cyrus SASL which did not. My guess from this log is that AUTH is taking place unencrypted, which may be the cause? My server advertises (EHLO): 250-PIPELINING 250-SIZE [ omitted ] 25

Re: SASL and AUTH dictionary attacks

2015-06-12 Thread Forrest
On 6/12/15 11:50 AM, Viktor Dukhovni wrote: On Fri, Jun 12, 2015 at 11:05:42AM -0400, Forrest wrote: My prior config was Sendmail 8 with Cyrus SASL which did not. My guess from this log is that AUTH is taking place unencrypted, which may be the cause? Surely dictionary attacks on SASL were

Re: SASL and AUTH dictionary attacks

2015-06-12 Thread Forrest
Thanks, Viktor, for clarifying all this. Very helpful :-) Forrest On 6/12/15 12:31 PM, Viktor Dukhovni wrote: On Fri, Jun 12, 2015 at 12:07:15PM -0400, Forrest wrote: My server advertises (EHLO): 250-PIPELINING 250-SIZE [ omitted ] 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250

Get Postfix w/ Cyrus SASL to work

2015-06-12 Thread Forrest
I just realized my config doesn't appear to be using SASL, though I compiled it with the correct libs and flags (from makedefs.out): SYSLIBS = -lssl -lcrypto -L/usr/lib/sasl -lsasl2 -lpcre -ldb -lnsl -lresolv -ldl CC = gcc -I. -I../../include -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -I/

Re: Get Postfix w/ Cyrus SASL to work

2015-06-12 Thread Forrest
Noel, here is the output from postconf -n (sanitized). Thank you. alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/body_checks body_checks_size_limit = 51200 command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/p

Dealing with failed AUTH attempts/attacks

2015-06-20 Thread Forrest
How are others handling dictionary attacks (AUTH) with Postfix. For example: Jun 19 21:28:24 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:24 mail postfix/smtpd[32583]: lost connection after AUTH from unknown[212.131.132.49] Jun 19 21:28:24 mail postfix/smtpd[32

Selective relay/direct for outgoing mail?

2012-05-27 Thread Phil Forrest
Hello Everyone, I am a very new postfix admin and I have a simple case for which I need documentation/pointers. I am hosting a mail forwarder, and I need this logic followed: For mail destined to mydomain.tld send outgoing via deliver directly. For all other mail, send mail via host: .mydomain.