On 10/9/2014 4:37 AM, Tomasz Ostrowski wrote:
On 2014-09-10 16:29, David F. Skoll wrote:
Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670:
[email protected] [192.168.10.1] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
I've recently configured fail2ban on my CentOS5 server with blocking
based solely on this line:
Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834:
cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
We had the same issue and working with Claus Assman who put us in touch
with Jim Hranicky to get a patch for sendmail 8.14.5 for this issue. It
needs some eyes on it though as we've tried to make it compatible with
multiple versions of SASL
So based on / inspired by a patch from Jim Hranicky acontributed to
sendmail.org is a first pass at logging Auth failures. Anyone able to do
some testing with it?
It compiles and doesn't blow things up but we need to put this on a
server with SASL 2.0 but I don't want to delay other people testing it
because I've had this sitting on my to-do list for a month+.
Regards,
KAM
--- /tmp/srvrsmtp.c Fri Nov 7 15:37:19 2014
+++ ./srvrsmtp.c Fri Nov 7 16:01:19 2014
@@ -593,6 +593,7 @@
volatile int authenticating;
char *user;
char *in, *out2;
+ char auth_user[256];
# if SASL >= 20000
char *auth_id = NULL;
const char *out;
@@ -1309,9 +1310,11 @@
in = xalloc(strlen(inp) + 1);
result = sasl_decode64(inp, strlen(inp), in,
strlen(inp), &inlen);
+ (void) sm_strlcpy(auth_user, in, sizeof(auth_user));
# else /* SASL >= 20000 */
out = xalloc(strlen(inp));
result = sasl_decode64(inp, strlen(inp), out, &outlen);
+ (void) sm_strlcpy(auth_user, out, sizeof(auth_user));
# endif /* SASL >= 20000 */
if (result != SASL_OK)
{
@@ -1471,9 +1474,9 @@
{
/* not SASL_OK or SASL_CONT */
message("535 5.7.0 authentication failed");
- if (LogLevel > 9)
+ if (LogLevel >= 9)
sm_syslog(LOG_WARNING, e->e_id,
- "AUTH failure (%s): %s (%d)
%s, relay=%.100s",
+ "AUTH failure (1) (%s): %s
(%d) %s, relay=%.100s user=%s",
auth_type,
sasl_errstring(result, NULL,
NULL),
@@ -1483,6 +1486,7 @@
# else /* SASL >= 20000 */
errstr == NULL ? "" : errstr,
# endif /* SASL >= 20000 */
+ auth_user,
CurSmtpClient);
RESET_SASLCONN;
authenticating = SASL_NOT_AUTH;
@@ -1699,6 +1703,7 @@
result = sasl_decode64(q, strlen(q), in,
&inlen);
# endif /* SASL >= 20000 */
+ (void) sm_strlcpy(auth_user, in,
sizeof(auth_user));
if (result != SASL_OK)
{
message("501 5.5.4 cannot BASE64 decode
'%s'",
@@ -1738,9 +1743,9 @@
if (result != SASL_OK && result != SASL_CONTINUE)
{
message("535 5.7.0 authentication failed");
- if (LogLevel > 9)
+ if (LogLevel >= 9)
sm_syslog(LOG_ERR, e->e_id,
- "AUTH failure (%s): %s (%d)
%s, relay=%.100s",
+ "AUTH failure (2) (%s): %s
(%d) %s, relay=%.100s user=%s",
p,
sasl_errstring(result, NULL,
NULL),
@@ -1750,6 +1755,7 @@
# else /* SASL >= 20000 */
errstr,
# endif /* SASL >= 20000 */
+ auth_user,
CurSmtpClient);
RESET_SASLCONN;
break;
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
