Thanks, Viktor, for clarifying all this. Very helpful :-)
Forrest
On 6/12/15 12:31 PM, Viktor Dukhovni wrote:
On Fri, Jun 12, 2015 at 12:07:15PM -0400, Forrest wrote:
My server advertises (EHLO):
250-PIPELINING
250-SIZE [ omitted ]
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 8BITMIME
No SASL AUTH there.
Hm. Interesting, thanks for pointing that obvious thing out :) I have the
following:
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = mydomain.com
smtpd_sasl_path = smtpd
And likely also:
smtpd_tls_auth_only = yes
which disables SASL AUTH for cleartext connections, and perhaps
even master.cf overrides that disable it for port 25, if you don't
need SASL support there at all.
With regard to logging, perhaps you're correct that Sendmail wasn't as
verbose. But, it did log things and I don't recall seeing these issues
before.
There is no "issue". You're just confusing yourself.
* Botnets are trying SASL logins (as they surely did before),
mostly without TLS.
* Your server refuses SASL logins in cleartext, so there's no
dictionary attack.
* Postfix has more informative logs than Sendmail. This is a
feature, not a bug.
* That information can raise questions that would not be
asked were the logs less informative.
If you think clearly about what the logs mean, there's nothing to
do or worry about.
Attempts to dictionary attack weak passwords are refused, by
virtue of the fact that all SASL AUTH attempts are refused.
Case closed.
Just make sure the "attackers" in question are not legitimate users
trying to use port 25 in cleartext for submission.
