Folks I am using sendmail as my mail server. SELINUX is disabled. I observe messages in Centos 7 (and 6) in /var/log/messages, similar to: saslauthd[2765]: do_auth : auth failure: [user=bettie] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] I guess that this is because somebody tried to access one of the SMTP ports with a logon attempt. This is understandable; there are crackers out there. I'd like to block SMTP completely from the originating sender (by dropping the IP packets), but don't know how to figure out what the IP address is. I don't see anything in the "maillog" that, for example, has the name "bettie" or some other clue. The only thing I see is a message like sendmail[5452]: v9HIoBox005452: [xxx.xxx.xxx.xxx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA with a close timestamp, but I'm reluctant to tie the two log entries together. Is there some log, or log setting that might enable me to tie the do_auth error to a specific IP address? I'm very reluctant to change mail servers to postfix or something like that. Thanks David
On Tue, Oct 17, 2017 at 11:58:01AM -0700, david wrote:> Folks > > I am using sendmail as my mail server. SELINUX is disabled. > I observe messages in Centos 7 (and 6) in /var/log/messages, similar to: > > saslauthd[2765]: do_auth : auth failure: [user=bettie] > [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] > > I guess that this is because somebody tried to access one of the > SMTP ports with a logon attempt. This is understandable; there are > crackers out there. I'd like to block SMTP completely from the > originating sender (by dropping the IP packets), but don't know how > to figure out what the IP address is. I don't see anything in the > "maillog" that, for example, has the name "bettie" or some other > clue. The only thing I see is a message like > > sendmail[5452]: v9HIoBox005452: [xxx.xxx.xxx.xxx] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > > with a close timestamp, but I'm reluctant to tie the two log entries together. > > Is there some log, or log setting that might enable me to tie the > do_auth error to a specific IP address? I'm very reluctant to > change mail servers to postfix or something like that.You might learn more by perusing /var/log/maillog. thereare a number of sendmail techniques you can use to reduce spam or spam attempts. I can't tell you right now where I found them all, many of them I encountered while googling for sendmail or similar. The single biggest reduction in spam and malicious connection attempts I've found so far is to install and spend time configuring milter-greylist. probably cut the amount of spam I see in mutt in half. or maybe better than that. there are now days when I find nothing in my spam folder, whereas I would formerly see a dozen or five dozen or similar. and though it is now old and no longer maintained, spambayes still works well to separate the wheat from the chaff. if you want, contact me off-list and I can send you someof the settings I use in sendmail's .mc file for these purposes. -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ---------------------------- Do you not know? Have you not heard? The LORD is the everlasting God, the Creator of the ends of the earth. He will not grow tired or weary, and his understanding no one can fathom. ----------------------------- Isaiah 40:28 (niv) -----------------------------
On Tue, 17 Oct 2017, david wrote:> Folks > > I am using sendmail as my mail server. SELINUX is disabled. > I observe messages in Centos 7 (and 6) in /var/log/messages, similar to: > > saslauthd[2765]: do_auth : auth failure: [user=bettie] [service=smtp] > [realm=] [mech=pam] [reason=PAM auth error] > > I guess that this is because somebody tried to access one of the SMTP ports > with a logon attempt. This is understandable; there are crackers out there. > I'd like to block SMTP completely from the originating sender (by dropping > the IP packets), but don't know how to figure out what the IP address is. I > don't see anything in the "maillog" that, for example, has the name "bettie" > or some other clue. The only thing I see is a message like > > sendmail[5452]: v9HIoBox005452: [xxx.xxx.xxx.xxx] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > > with a close timestamp, but I'm reluctant to tie the two log entries > together. > > Is there some log, or log setting that might enable me to tie the do_auth > error to a specific IP address? I'm very reluctant to change mail servers to > postfix or something like that.The default sendmail LogLevel is 9, but if you bump it to 10 sendmail will log the remote IP address associated with auth failures. In your sendmail.mc file, set define(`confLOG_LEVEL', `10') Or, if you manually edit sendmail.cf (<shudder/>), then add O LogLevel=10 You'll send up with mail log messages that correspond to the saslauthd failures you've noted: 2017-10-17T10:42:39.099125-04:00 mightymite sendmail[7240]: v9HEgTgp597220: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed, relay=[nnn.nnn.nnn.nnn] -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W