[Mimedefang] detect failed auth

Kevin A. McGrail KMcGrail at PCCC.com
Fri Nov 7 16:05:37 EST 2014


On 10/9/2014 4:37 AM, Tomasz Ostrowski wrote:
> On 2014-09-10 16:29, David F. Skoll wrote:
>
>> Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: 
>> dfs at hydrogen.roaringpenguin.com [192.168.10.1] did not issue 
>> MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
>
> I've recently configured fail2ban on my CentOS5 server with blocking 
> based solely on this line:
>> Oct  9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: 
>> cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue 
>> MAIL/EXPN/VRFY/ETRN during connection to MTA

We had the same issue and working with Claus Assman who put us in touch 
with Jim Hranicky to get a patch for sendmail 8.14.5 for this issue.  It 
needs some eyes on it though as we've tried to make it compatible with 
multiple versions of SASL

So based on / inspired by a patch from Jim Hranicky acontributed to 
sendmail.org is a first pass at logging Auth failures. Anyone able to do 
some testing with it?

It compiles and doesn't blow things up but we need to put this on a 
server with SASL 2.0 but I don't want to delay other people testing it 
because I've had this sitting on my to-do list for a month+.

Regards,
KAM
-------------- next part --------------
--- /tmp/srvrsmtp.c	Fri Nov  7 15:37:19 2014
+++ ./srvrsmtp.c	Fri Nov  7 16:01:19 2014
@@ -593,6 +593,7 @@
 	volatile int authenticating;
 	char *user;
 	char *in, *out2;
+	char auth_user[256];
 # if SASL >= 20000
 	char *auth_id = NULL;
 	const char *out;
@@ -1309,9 +1310,11 @@
 			in = xalloc(strlen(inp) + 1);
 			result = sasl_decode64(inp, strlen(inp), in,
 					       strlen(inp), &inlen);
+                        (void) sm_strlcpy(auth_user, in, sizeof(auth_user));
 # else /* SASL >= 20000 */
 			out = xalloc(strlen(inp));
 			result = sasl_decode64(inp, strlen(inp), out, &outlen);
+			(void) sm_strlcpy(auth_user, out, sizeof(auth_user));
 # endif /* SASL >= 20000 */
 			if (result != SASL_OK)
 			{
@@ -1471,9 +1474,9 @@
 			{
 				/* not SASL_OK or SASL_CONT */
 				message("535 5.7.0 authentication failed");
-				if (LogLevel > 9)
+				if (LogLevel >= 9)
 					sm_syslog(LOG_WARNING, e->e_id,
-						  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
+						  "AUTH failure (1) (%s): %s (%d) %s, relay=%.100s user=%s",
 						  auth_type,
 						  sasl_errstring(result, NULL,
 								 NULL),
@@ -1483,6 +1486,7 @@
 # else /* SASL >= 20000 */
 						  errstr == NULL ? "" : errstr,
 # endif /* SASL >= 20000 */
+						  auth_user,
 						  CurSmtpClient);
 				RESET_SASLCONN;
 				authenticating = SASL_NOT_AUTH;
@@ -1699,6 +1703,7 @@
 				result = sasl_decode64(q, strlen(q), in,
 						       &inlen);
 # endif /* SASL >= 20000 */
+				(void) sm_strlcpy(auth_user, in, sizeof(auth_user));
 				if (result != SASL_OK)
 				{
 					message("501 5.5.4 cannot BASE64 decode '%s'",
@@ -1738,9 +1743,9 @@
 			if (result != SASL_OK && result != SASL_CONTINUE)
 			{
 				message("535 5.7.0 authentication failed");
-				if (LogLevel > 9)
+				if (LogLevel >= 9)
 					sm_syslog(LOG_ERR, e->e_id,
-						  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
+						  "AUTH failure (2) (%s): %s (%d) %s, relay=%.100s user=%s",
 						  p,
 						  sasl_errstring(result, NULL,
 								 NULL),
@@ -1750,6 +1755,7 @@
 # else /* SASL >= 20000 */
 						  errstr,
 # endif /* SASL >= 20000 */
+						  auth_user,
 						  CurSmtpClient);
 				RESET_SASLCONN;
 				break;


More information about the MIMEDefang mailing list