On 23/05/2024 14:27, Scott Techlist via Postfix-users wrote:
All of these entries are using the LOGIN mech. Unless you have an
extremely old outlook express MUA (or similar) you xan and should be
using the PLAIN mech. You can eliminate all of the above attacks by
removing LOGIN from the list of mechs you accept.
Peter:
I too see a lot of these so I went to try your solution. I edited
/etc/sasl2/smtpd.conf
It now contains:
pwcheck_method: saslauthd
#mech_list: plain login
mech_list: plain
Restarted postfix and dovecot.
But now I notice I have both LOGIN and PLAIN failures, the change I made didn't
have any effect that I can see.
May 22 18:40:18 tn2 postfix-submission/smtpd[6125]: warning:
unknown[218.67.123.202]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 22 18:40:31 tn2 postfix-submission/smtpd[6063]: warning:
unknown[60.212.0.13]: SASL PLAIN authentication failed:
May 22 18:40:51 tn2 postfix-submission/smtpd[6126]: warning:
unknown[41.207.248.204]: SASL PLAIN authentication failed:
May 22 18:41:25 tn2 postfix-submission/smtpd[6125]: warning:
unknown[109.195.69.156]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 22 18:41:41 tn2 postfix-submission/smtpd[6063]: warning:
unknown[175.196.165.155]: SASL LOGIN authentication failed:
Is there some place else I need to adjust that mechs I accept? Something else
I need to restart?
This is people/bots attempting to use your system as a relay, the
authentication mechanism has nothing to do with it.
Unless, of course, you have users in China, Africa, Russia, Korea,
etcetera, etcetera, etcetera, who should be able to authenticate and
send mail via your system.
Install and use "jwhois" to find out where the attempts are probably
coming from. (But you do have to keep your jwhois.conf up to date. :-) )
And read up on postscreen and implement it, before someone *does* break in.
Cheers,
Gary B-)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
