On Sun, Feb 13, 2022 at 11:56:27AM -0500, post...@ptld.com wrote:
> Just to clarify, does this error mean they requested SASL login and
> postfix told them it wasn't enabled? I am under the belief SASL
> logins are disabled on port 25.
Are you sure the connection was to port 25? Is submission configured
on an alternative port, and if so, how?
> Or does it mean postfix allowed them to provide login details and it
> failed because of bad user/pass? I just want to verify its not
> enabled, because they repeatedly did this like a dictionary brute
> force attempt.
SASL auth is not enabled on port 25:
$ posttls-finger ptld.com
posttls-finger: Connected to smtp.ptld.com[204.10.37.139]:25
posttls-finger: < 220 smtp.ptld.com ESMTP Postfix
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-smtp.ptld.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 30720000
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: smtp.ptld.com[204.10.37.139]:25: subjectAltName:
bimi.ptld.com
posttls-finger: smtp.ptld.com[204.10.37.139]:25: subjectAltName:
host.ptld.com
posttls-finger: smtp.ptld.com[204.10.37.139]:25: subjectAltName:
mail.ptld.com
posttls-finger: smtp.ptld.com[204.10.37.139]:25: Matched subjectAltName:
ptld.com
posttls-finger: smtp.ptld.com[204.10.37.139]:25: Matched subjectAltName:
smtp.ptld.com
posttls-finger: smtp.ptld.com[204.10.37.139]:25: subjectAltName:
www.ptld.com
posttls-finger: smtp.ptld.com[204.10.37.139]:25 CommonName ptld.com
posttls-finger: certificate verification failed for
smtp.ptld.com[204.10.37.139]:25: untrusted issuer /O=Digital Signature Trust
Co./CN=DST Root CA X3
posttls-finger: smtp.ptld.com[204.10.37.139]:25: subject_CN=ptld.com,
issuer_CN=R3,
fingerprint=74:E0:1D:F1:1B:4B:16:1A:00:4B:2A:2C:50:37:09:95:F6:A9:5C:EF,
pkey_fingerprint=78:4C:AD:13:B6:55:BE:6F:51:28:8F:77:79:1B:A4:42:67:9A:FA:4E
posttls-finger: Untrusted TLS connection established to
smtp.ptld.com[204.10.37.139]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-smtp.ptld.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 30720000
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
> postfix/smtpd[1940626]: connect from unknown[5.34.207.103]
> postfix/smtpd[1940626]: warning: unknown[5.34.207.103]: SASL LOGIN
> authentication failed: UGFzc3dvcmQ6
> postfix/smtpd[1940626]: disconnect from unknown[5.34.207.103] ehlo=1 auth=0/1
> rset=1 quit=1 commands=3/4
That said, this log entry seems to indicate SASL support, because it
reported a specific SASL mechanism (LOGIN) failing, and the stage
at which it failed is:
$ echo $(echo UGFzc3dvcmQ6 | openssl base64 -d)
Password:
So it looks like a username was prompted for and sent, and then a
password.
--
Viktor.
