Re: [CentOS] saslauthd attack
On Wed, 2010-02-10 at 22:33 -0500, John Hinton wrote: Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. The system is saslauthd running as a service... sendmail and dovecot setup. I have log levels in sendmail set to 14. Something has to be able to log the offender(s). Any ideas what I'm missing or where to look? John Lincoln Zuljewic Silva wrote: I supose that you are using SMTP authentication with SASL. From the log service=smtp...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton webmas...@ew3d.com wrote: I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: snip I use denyhosts which has worked well for me. I have two IPs which have been under attack mostly on ssh, some on dovecot, periodically for the last six weeks. Offending IPs are logged when blocked, but they just switch IPs as well as login user names. At least with denyhosts the IPs are readily available. Cheers. B.J. CentOS 5.4, Linux 2.6.18-164.11.1.el5 athlon 05:24:40 up 9:38, 1 user, load average: 0.33, 0.17, 0.19 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] saslauthd attack
I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd attack
I supose that you are using SMTP authentication with SASL. From the log service=smtp...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton webmas...@ew3d.com wrote: I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Lincoln Zuljewic Silva More contact info.: http://www.system.adm.br/contact.php How often must a question be asked before it’s considered a frequently asked question? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd attack
Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. The system is saslauthd running as a service... sendmail and dovecot setup. I have log levels in sendmail set to 14. Something has to be able to log the offender(s). Any ideas what I'm missing or where to look? John Lincoln Zuljewic Silva wrote: I supose that you are using SMTP authentication with SASL. From the log service=smtp...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton webmas...@ew3d.com wrote: I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd attack
Perhaps you can use netstat to identify who is currently connected to the machine. Then run it several times over a short period and block the most likely culprits ? John Hinton wrote: Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. The system is saslauthd running as a service... sendmail and dovecot setup. I have log levels in sendmail set to 14. Something has to be able to log the offender(s). Any ideas what I'm missing or where to look? John Lincoln Zuljewic Silva wrote: I supose that you are using SMTP authentication with SASL. From the log service=smtp...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton webmas...@ew3d.com wrote: I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd attack
John Hinton wrote: Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. I'd use iptables to log connections on that port and then time-correlate with the log entries from saslauthd. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd attack
I am running IPTraf and have one offender... not a problem to find the address by hand, but I know these things grow. Years ago it was ssh... they are still trying. Then FTP... then smtp... but I have not before seen one like this where I can't find it logged... and I want to put into place some automated scripts to deal with it immediately. As the kiddie scripts seem to go, with time, there is a need to kill off such things before you have 10,000 systems out there trying to authenticate once every second or two. It is dictionary as it has changed to alias from anna now. LOL!!! They aren't going to get in... just wasting resources. John Clint Dilks wrote: Perhaps you can use netstat to identify who is currently connected to the machine. Then run it several times over a short period and block the most likely culprits ? John Hinton wrote: Yes... most of them. Just the new PITA. Anyway... I still can't seem to figure out how to log the IP addresses for this attack. The system is saslauthd running as a service... sendmail and dovecot setup. I have log levels in sendmail set to 14. Something has to be able to log the offender(s). Any ideas what I'm missing or where to look? John Lincoln Zuljewic Silva wrote: I supose that you are using SMTP authentication with SASL. From the log service=smtp...so, in fact, the attack is coming from the SMTP server and not directly to the SASL. I guess that someone is trying to do a brute force attack on the SMTP server. Regards Lincoln On Wed, Feb 10, 2010 at 6:08 PM, John Hinton webmas...@ew3d.com wrote: I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd attack
On Wed, 2010-02-10 at 15:08 -0500, John Hinton wrote: I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[3369]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:58 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:53 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:54 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:55 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 06:56:59 neptune saslauthd[3368]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] So, I can't write a rule to block this attack as I can't find any IP address to block. I've looked and googled til my eyes are red and can't find where to set logging in saslauthd or where ever it needs to be set to record the IP address generating these failures. Does anyone have an idea? Also, some may wish to do a grep 'do_auth' on messages to see if this is happening to you. They sometimes come in rapid succession. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos In my case the last one was on 19th of January, and came from an IP in China 118-167-9-72.dynamic.hinet.net [118.167.9.72]. Took it from /var/spool/maillog. Actually I'm running Postfix with sasl, and the portion of maillog I was looking for was: SASL LOGIN authentication failed. Don't know how it will be on sendmail, though. HTH, Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 = Does it worry you that you don't talk any kind of sense? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in
/usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-)
In fact, I DID all the above (with more or less variants), but I was
wondering why the command testsaslauthd wouldn't allow me to test
authentication. Now I don't care anymore - what I need it for is: postfix
with SASL AUTH agains smtp clients and for THAT I only need a properly
filled and protected (postfix will have to be able to read the file)
/etc/sasldb2 file.
I was also wondering because on the machine that I'm migrating away from
the testsaslauthd command worked. Same config and both using the same
centos release. Ok - nevermind, the authentication works, a nice thing to
start a thursday with.
Thanks @Alexander, Kai and Nataraj and all others who cared!
Kind regards
Michael
Hello Michael,
glad that you managed to migrate to the new server.
If testsaslauthd gives an OK, this just means that saslauthd is running
and could verify the given credentials against the backend. If that
backend (-a) is shadow, then auth is checked against system users within
the shadow file. If the backend is pam, then a more complex setup is
possible. Besides checking too against system users in shadow, PAM could
be configured to test against an SQL database or an LDAP server.
If testsaslauthd is successful, it does not mean that Postfix client auth
must be successful too. That's because Postfix can be configured to use a
different authentication scheme: like as you did to use cyrus-sasl's
auxprop or even to use dovecot's sasl.
You can easily imagine a situation where the admin fills a sasldb with
users and their password and where all these users can be found as well as
system accounts within the shadow file. It may be intention by the admin
or just lack of understanding. Postfix using cyrus-sasl may be configured
to auth against the sasldb data, while saslauthd would work as well. (Here
with the difference that usernames in sasldb are of format
u...@domain.tld where using saslauthd -a shadow the usernames can just
be user.)
You may counter check what the smtpd.conf file contained on your old host.
It could be that saslauthd was the primary mechanism, but set as well the
option auto_transition. You find that explained in
/usr/share/doc/cyrus-sasl*/options.html. Running that it will fill the
sasldb by itself. So you may have the impression that sasldb was your
primary authentication pool.
One final note: For cyrus-sasl using auxprop with plugin sasldb is the
default and fault back. If nothing is configured or the configured setup
fails, then cyrus-sasl test with auxprop and sasldb.
Best regards
Alexander
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Michael Kress wrote: 2) saslpasswd2 -c -a mail -u mail testuser That's a typo - the user is testomat. But, with the same result. :-( 3) testsaslauthd -u testomat -p mypassword -s smtp -r mail shell output of testsaslauthd: 0: NO authentication failed ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Michael Kress wrote on Wed, 26 Aug 2009 07:50:33 +0200: I don't know what's going on - it seems that testsaslauthd doesn't lookup the user 'testomat' in /etc/sasldb2 Should it really do that with auth-mech=shadow? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Hi, Kai Schaetzl wrote: I don't know what's going on - it seems that testsaslauthd doesn't lookup the user 'testomat' in /etc/sasldb2 Should it really do that with auth-mech=shadow? oh, I forgot to mention - of course I already tried that one: saslauthd -d -a pam -O /usr/lib64/sasl2/smtpd.conf -r -l Without success. Regards Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Michael Kress wrote on Wed, 26 Aug 2009 11:13:34 +0200 (CEST): oh, I forgot to mention - of course I already tried that one: saslauthd -d -a pam -O /usr/lib64/sasl2/smtpd.conf -r -l I may be wrong, but I would think that this still won't work. If you use pam or shadow saslauth should use system users and not check the sasldb. We are using Dovecot for POP/IMAP and so I use it for SASL authentication since CentOS 5 as well. That has worked out-of-the-box since I first tried it. I see you want to use Cyrus. I've no experience with saslauthd and postfix, I used to use it only with sendmail and I remember that we had tiny problems to get it running with about every second setup back then. If it doesn't matter which POP/IMAP server you use I would recommend going with Dovecot. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Michael Kress wrote: 2) saslpasswd2 -c -a mail -u mail testuser That's a typo - the user is testomat. But, with the same result. :-( 3) testsaslauthd -u testomat -p mypassword -s smtp -r mail shell output of testsaslauthd: 0: NO authentication failed You are mixing things. saslauthd and sasldb are exclusive: either use one or the other (at least on CentOS). saslauthd -v prints out the available authentication mechanisms (better to say backends). On CentOS sasldb can only be used as a plugin by auxprop mechanism. You will have to decided for one way to store your credentials. I using the saslauthd keep in mind that you can't use shared secret mechanisms. Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Hi, Alexander Dalloz wrote: 2) saslpasswd2 -c -a mail -u mail testuser That's a typo - the user is testomat. But, with the same result. :-( 3) testsaslauthd -u testomat -p mypassword -s smtp -r mail shell output of testsaslauthd: 0: NO authentication failed You are mixing things. saslauthd and sasldb are exclusive: either use one or the other (at least on CentOS). ok - I think we're coming closer to the point. It will certainly be sasldb2, because I have an old machine with SMTP AUTH users who are contained in /etc/sasldb2 I want to transfer these users to the new machine without having them to assign new passwords. Given the scenario that I copy the old /etc/sasldb2 to the new machine, how could postfix there authenticate these SMTP AUTH users? On CentOS sasldb can only be used as a plugin by auxprop mechanism. You will have to decided for one way to store your credentials. see above - the decision is already taken by the fact of the migration. Regards Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Kai Schaetzl schrieb: If it doesn't matter which POP/IMAP server you use I would recommend going with Dovecot. The purpose for using /etc/sasldb2 is to use SMTP AUTH. (See my other posting). Regards Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Hi,
Alexander Dalloz wrote:
[ ... ]
You are mixing things. saslauthd and sasldb are exclusive: either use
one
or the other (at least on CentOS).
ok - I think we're coming closer to the point.
It will certainly be sasldb2, because I have an old machine with SMTP AUTH
users who are contained in /etc/sasldb2
I want to transfer these users to the new machine without having them to
assign new passwords.
Given the scenario that I copy the old /etc/sasldb2 to the new machine,
how could postfix there authenticate these SMTP AUTH users?
That is pretty easy.
First you will have to configure Postfix through main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.example.com -- this sets the realm[1]
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
[1] Using saslpasswd2 it is -u DOM, which is if not specified by default
the hostname.
For your existing sasldb2 BDB you can use sasldblistusers2 to list the
usernames.
At a proper place in smtpd_*_restrictions define permit_sasl_authenticated.
Next you have to make the link between Postfix and Cyrus-SASL in
/usr/lib{64}/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: login plain cram-md5 digest-md5 - adjust to your needs
You are done.
On CentOS sasldb can only be used as a plugin by auxprop mechanism. You
will have to decided for one way to store your credentials.
see above - the decision is already taken by the fact of the migration.
I understand.
Regards
Michael
Hope this helps. If questions or trouble remain, feel free to ask.
Best regards
Alexander
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Michael Kress wrote on Wed, 26 Aug 2009 14:07:44 +0200 (CEST): The purpose for using /etc/sasldb2 is to use SMTP AUTH. I know (that's always the purpose), but it wasn't clear if you *have* to use the sasldb2. As I said you can't use authentication schemes against system accounts if you want to authenticate against other dbs. I think Alexander gave you the correct instructions for that. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Michael Kress wrote on Wed, 26 Aug 2009 14:07:44 +0200 (CEST): The purpose for using /etc/sasldb2 is to use SMTP AUTH. I know (that's always the purpose), but it wasn't clear if you *have* to use the sasldb2. As I said you can't use authentication schemes against system accounts if you want to authenticate against other dbs. I think Alexander gave you the correct instructions for that. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
On Wed, 2009-08-26 at 14:07 +0200, Michael Kress wrote: Kai Schaetzl schrieb: If it doesn't matter which POP/IMAP server you use I would recommend going with Dovecot. The purpose for using /etc/sasldb2 is to use SMTP AUTH. (See my other posting). Dovecot can be used for incoming SMTP AUTH with postfix. It does not support outgoing SMTP auth (client side), but you don't need that for a server. It is much easier to setup than Cyrus and in the two days since I installed it, seems to be quite reliable. Whether you will be able to migrate your existing database will depend on what format it is in and which authentication mechanisms you want to support. See: http://www.postfix.org/SASL_README.html http://wiki.dovecot.org/Authentication discusses the various formats of the dovecot password database and the types of authentication supported by each. Nataraj Regards Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd
Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in
/usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-)
In fact, I DID all the above (with more or less variants), but I was
wondering why the command testsaslauthd wouldn't allow me to test
authentication. Now I don't care anymore - what I need it for is: postfix
with SASL AUTH agains smtp clients and for THAT I only need a properly
filled and protected (postfix will have to be able to read the file)
/etc/sasldb2 file.
I was also wondering because on the machine that I'm migrating away from
the testsaslauthd command worked. Same config and both using the same
centos release. Ok - nevermind, the authentication works, a nice thing to
start a thursday with.
Thanks @Alexander, Kai and Nataraj and all others who cared!
Kind regards
Michael
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] saslauthd
Hello, I'm having trouble to get saslauthd running on a centos-5.3. I can't autheticate via testsaslauthd. Here's what I do using a fresh /etc/sasldb2: 1) start saslauthd in debug mode: saslauthd -d -a shadow -O /usr/lib64/sasl2/smtpd.conf -r -l 2) saslpasswd2 -c -a mail -u mail testuser 3) testsaslauthd -u testomat -p mypassword -s smtp -r mail shell output of testsaslauthd: 0: NO authentication failed shell output of saslauthd: [r...@x02-new ~]# saslauthd -d -a shadow -O /usr/lib64/sasl2/smtpd.conf -r -l saslauthd[1936] :main: num_procs : 5 saslauthd[1936] :main: mech_option: /usr/lib64/sasl2/smtpd.conf saslauthd[1936] :main: run_path : /var/run/saslauthd saslauthd[1936] :main: auth_mech : shadow saslauthd[1936] :detach_tty : master pid is: 0 saslauthd[1936] :ipc_init: listening on socket: /var/run/saslauthd/mux saslauthd[1936] :main: using process model saslauthd[1936] :have_baby : forked child: 1937 saslauthd[1936] :have_baby : forked child: 1938 saslauthd[1936] :have_baby : forked child: 1939 saslauthd[1936] :have_baby : forked child: 1941 saslauthd[1937] :do_auth : auth failure: [user=testo...@mail] [service=smtp] [realm=mail] [mech=shadow] [reason=Unknown] saslauthd[1937] :do_request : response: NO output in /var/log/messages: Aug 26 07:41:31 x02-new saslauthd[1673]: server_exit : master exited: 0 Aug 26 07:41:33 x02-new saslauthd[1936]: detach_tty : master pid is: 0 Aug 26 07:41:33 x02-new saslauthd[1936]: ipc_init: listening on socket: /var/run/saslauthd/mux Aug 26 07:41:38 x02-new saslauthd[1937]: do_auth : auth failure: [user=testo...@mail] [service=smtp] [realm=mail] [mech=shadow] [reason=Unknown] output of saslfinger: #csaslfinger -s saslfinger - postfix Cyrus sasl configuration Mi 26. Aug 07:43:47 CEST 2009 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.3 System: CentOS release 5.3 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib64/libsasl2.so.2 (0x2b0ffbdee000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = mail smtpd_sasl_security_options = noanonymous -- listing of /usr/lib64/sasl2 -- insgesamt 2916 drwxr-xr-x 2 root root 4096 26. Aug 07:34 . drwxr-xr-x 52 root root 20480 26. Aug 00:32 .. -rwxr-xr-x 1 root root890 7. Jan 2007 libanonymous.la -rwxr-xr-x 1 root root 15880 7. Jan 2007 libanonymous.so -rwxr-xr-x 1 root root 15880 7. Jan 2007 libanonymous.so.2 -rwxr-xr-x 1 root root 15880 7. Jan 2007 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root862 7. Jan 2007 liblogin.la -rwxr-xr-x 1 root root 16480 7. Jan 2007 liblogin.so -rwxr-xr-x 1 root root 16480 7. Jan 2007 liblogin.so.2 -rwxr-xr-x 1 root root 16480 7. Jan 2007 liblogin.so.2.0.22 -rwxr-xr-x 1 root root862 7. Jan 2007 libplain.la -rwxr-xr-x 1 root root 16448 7. Jan 2007 libplain.so -rwxr-xr-x 1 root root 16448 7. Jan 2007 libplain.so.2 -rwxr-xr-x 1 root root 16448 7. Jan 2007 libplain.so.2.0.22 -rwxr-xr-x 1 root root936 7. Jan 2007 libsasldb.la -rwxr-xr-x 1 root root 892920 7. Jan 2007 libsasldb.so -rwxr-xr-x 1 root root 892920 7. Jan 2007 libsasldb.so.2 -rwxr-xr-x 1 root root 892920 7. Jan 2007 libsasldb.so.2.0.22 -rw-r--r-- 1 root root167 26. Aug 07:34 smtpd.conf -- listing of /usr/lib/sasl2 -- insgesamt 2912 drwxr-xr-x 2 root root 4096 26. Aug 07:41 . drwxr-xr-x 30 root root 12288 26. Aug 00:33 .. -rwxr-xr-x 1 root root884 7. Jan 2007 libanonymous.la -rwxr-xr-x 1 root root 14372 7. Jan 2007 libanonymous.so -rwxr-xr-x 1 root root 14372 7. Jan 2007 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 7. Jan 2007 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root856 7. Jan 2007 liblogin.la -rwxr-xr-x 1 root root 14752 7. Jan 2007 liblogin.so -rwxr-xr-x 1 root root 14752 7. Jan 2007 liblogin.so.2 -rwxr-xr-x 1 root root 14752 7. Jan 2007 liblogin.so.2.0.22 -rwxr-xr-x 1 root root856 7. Jan 2007 libplain.la -rwxr-xr-x 1 root root 14848 7. Jan 2007 libplain.so -rwxr-xr-x 1 root root 14848 7. Jan 2007 libplain.so.2 -rwxr-xr-x 1 root root 14848 7. Jan 2007 libplain.so.2.0.22 -rwxr-xr-x 1 root root930 7. Jan 2007 libsasldb.la -rwxr-xr-x 1 root root 905200 7. Jan 2007 libsasldb.so -rwxr-xr-x 1 root root 905200 7. Jan 2007 libsasldb.so.2 -rwxr-xr-x 1 root root 905200 7. Jan 2007 libsasldb.so.2.0.22 -- listing of /etc/sasl2 -- insgesamt 24 drwxr-xr-x 2 root root 4096 26. Aug 07:36 . drwxr-xr-x 85 root root 12288 26. Aug 07:38 .. -- content of /usr/lib64/sasl2/smtpd.conf -- auto_transition: true pwcheck_method: auxprop saslauthd_version: 2 auxprop_plugin: sasldb allowanonymouslogin: 0 allowplaintext: 1 mech_list: PLAIN LOGIN log_level: 3 -- active services
[CentOS] saslauthd question and sendmail
the commande [root @ r13 *** ~] # sasl2-shared-mechlist Available mechanisms: GSSAPI, ANONYMOUS CRAM-MD5, DIGEST-MD5, LOGIN, PLAIN, NTLM Library media: EXTERNAL, NTLM, PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, ANONYMOUS, GSSAPI [root @ r13151 ~] # indicates the presence of all options the customer smtp in the page http://www.sendmail.org/~ca/email/auth.html it indicates that you have to edit /etc/sysconfig/saslauthd it seems to me I have to try to change the option pam present in the file in plain login but after impossible to restart /sbin/service saslauthd restart is not working anymore my question is related Sendmail I try to configure I thank you for all your returns sl ps:Excuse my bad English I am French ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd question and sendmail
Swilting wrote on Fri, 26 Dec 2008 11:58:05 +0100: I have to try to change the option pam present in the file in plain login but after impossible to restart This is wrong. You probably edited MECH= This sets the method for checking the password not the SASL encryption method. You probably want to add plain and login to the the allowed SASL authentication mechanisms. Set this back to what it was before or to MECH=shadow (this is how it works for me on CentOS 4). Make sure that /usr/lib/sasl2/Sendmail.conf contains the line pwcheck_method: pwcheck saslauthd and check that a helo contains this line: 250-AUTH PLAIN LOGIN (how to do this is shown on Claus' page under Initial test). ps:Excuse my bad English I am French There is a French list and you should use that if your MTA still doesn't SMTP AUTH now. You will probably need to edit your sendmail.mc file. Add the ehlo output from above to your explanation there, and your CentOS version. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] saslauthd crashes
I just took my first cent server into production and now saslauthd keep crashing after brute force attack. I found a bug report so this has already been reported but not fixed. http://bugs.centos.org/print_bug_page.php?bug_id=2860 I assume this has to be a large problem for many people and am surprised it hasn't been fixed yet. Has anyone found a work around for this bug? Is there a better rpm repo for a saslauthd that won't crash? -bazooka ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd crashes
Bazooka Joe wrote: I just took my first cent server into production and now saslauthd keep crashing after brute force attack. I found a bug report so this has already been reported but not fixed. http://bugs.centos.org/print_bug_page.php?bug_id=2860 I assume this has to be a large problem for many people and am surprised it hasn't been fixed yet. Has anyone found a work around for this bug? Is there a better rpm repo for a saslauthd that won't crash? -bazooka ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hi, See upstream bug here: https://bugzilla.redhat.com/show_bug.cgi?id=433583 Bgrds, Finnur ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd crashes
Bazooka Joe wrote: Has anyone found a work around for this bug? Doesn't seem like it - https://bugzilla.redhat.com/show_bug.cgi?id=433583 nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd crashes
Bazooka Joe wrote on Tue, 25 Nov 2008 09:24:26 -0800: saslauthd you can use dovecot auth with postfix. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] saslauthd for sendmail SMTP relay
Hi, I'm running a Centos 5.1 server that uses saslauthd to allow sendmail SMTP relaying for some clients. saslauthd is configured to use method shadow to lookup the username / password directly from /etc/shadow. This setup has been working for several month now, but is broken since last Monday. I haven't changed anything neither on the server nor on the clients. Now whenever a client tries to relay email I see this messages in the logs: /var/log/maillog: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed /var/log/messages: saslauthd[3665]: do_auth : auth failure: [user=username] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Does someone have an idea how to debug this further, esp. how to find the real reason as the message [reason=Unknown] is not very helpful at all. Thanks in advance, Bernd. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd for sendmail SMTP relay
Bernd Bartmann wrote: /var/log/maillog: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed /var/log/messages: saslauthd[3665]: do_auth : auth failure: [user=username] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Does someone have an idea how to debug this further, esp. how to find the real reason as the message [reason=Unknown] is not very helpful at all. Is saslauthd still running? Could it have failed or not started if the server has rebooted? Ian ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd for sendmail SMTP relay
On Sun, May 25, 2008 at 11:42 AM, Ian Blackwell wrote: Bernd Bartmann wrote: /var/log/maillog: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed /var/log/messages: saslauthd[3665]: do_auth : auth failure: [user=username] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Does someone have an idea how to debug this further, esp. how to find the real reason as the message [reason=Unknown] is not very helpful at all. Is saslauthd still running? Could it have failed or not started if the server has rebooted? Thanks Ian. That's indeed the reason. service saslauthd status gives saslauthd dead but subsys locked. Now, what could be the reason why saslauthd was not running any more? cu, Bernd. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd for sendmail SMTP relay
Bernd Bartmann wrote: Thanks Ian. That's indeed the reason. service saslauthd status gives saslauthd dead but subsys locked. Now, what could be the reason why saslauthd was not running any more? cu, Bernd. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hard to say without seeing the logs. Does it restart for you or is it continuing to fail? Ian ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd for sendmail SMTP relay
On Sun, May 25, 2008 at 2:42 PM, Ian Blackwell wrote: Bernd Bartmann wrote: Thanks Ian. That's indeed the reason. service saslauthd status gives saslauthd dead but subsys locked. Now, what could be the reason why saslauthd was not running any more? Hard to say without seeing the logs. Does it restart for you or is it continuing to fail? It did start without any problems. Looks like I found the cause. From the logs I see that someone tried a brute force attach on the SMTP relay with several username / password combinations. Then one of the attempts lead to a segfault of saslauth. Which probably means that there is a bug in saslauthd as it should not be possible to crash a service just by suppling a weird comibination of input data. May 18 17:25:36 srsrzfw01 saslauthd[5167]: do_auth : auth failure: [user=marketing] [s ervice=smtp] [realm=] [mech=shadow] [reason=Unknown] May 18 17:25:37 srsrzfw01 kernel: saslauthd[5168]: segfault at 4ba33160 rip 00323d e76170 rsp 7fff78d4fb18 error 4 May 18 17:25:37 srsrzfw01 kernel: saslauthd[5166]: segfault at 4ba33160 rip 00323d e76170 rsp 7fff78d4fb18 error 4 May 18 17:25:37 srsrzfw01 kernel: saslauthd[5169]: segfault at 4ba33160 rip 00323d e76170 rsp 7fff78d4fb18 error 4 May 18 17:25:38 srsrzfw01 kernel: saslauthd[5170]: segfault at 4ba33160 rip 00323d e76170 rsp 7fff78d4fb18 error 4 May 18 17:25:38 srsrzfw01 kernel: saslauthd[5167]: segfault at 4ba33160 rip 00323d e76170 rsp 7fff78d4fb18 error 4 May 22 18:29:53 srsrzfw01 saslauthd[26597]: detach_tty : master pid is: 26597 May 22 18:29:53 srsrzfw01 saslauthd[26597]: ipc_init: listening on socket: /var/run/sa slauthd/mux May 22 18:45:39 srsrzfw01 saslauthd[26597]: server_exit : master exited: 26597 May 22 18:47:31 srsrzfw01 saslauthd[5160]: detach_tty : master pid is: 5160 May 22 18:47:31 srsrzfw01 saslauthd[5160]: ipc_init: listening on socket: /var/run/sas lauthd/mux May 22 18:57:24 srsrzfw01 saslauthd[5160]: server_exit : master exited: 5160 cu, Bernd ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauthd for sendmail SMTP relay
Bernd Bartmann wrote: It did start without any problems. Looks like I found the cause. From the logs I see that someone tried a brute force attach on the SMTP relay with several username / password combinations. Then one of the attempts lead to a segfault of saslauth. Which probably means that there is a bug in saslauthd as it should not be possible to crash a service just by suppling a weird comibination of input data. Sounds to me like you should consider running SELinux - that is if you aren't already :-) . Of course it won't solve the segfault, but it should restrict any damage a compromised saslauthd process can do. Anyway, glad you're on track again. Ian smime.p7s Description: S/MIME Cryptographic Signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
