@James, big thanks for the information I think your clarity about the logging of the rhost and the redhat bug helped a bit.
To help get work completed on this bug I tried to reproduce this by setting up a mail server using sasl using these steps [1]. I was then able to telnet to it from a remote host and attempt to login. In mail.log I got the following messages: Jan 25 16:55:58 uvt-yakkety postfix/smtpd[3313]: connect from unknown[192.168.122.1] Jan 25 16:56:13 uvt-yakkety postfix/smtpd[3313]: warning: unknown[192.168.122.1]: SASL login authentication failed: authentication failure which show the remote host IP, however in auth.log I see: Jan 25 16:56:12 uvt-yakkety saslauthd[3020]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=powersj Jan 25 16:56:13 uvt-yakkety saslauthd[3020]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Jan 25 16:56:13 uvt-yakkety saslauthd[3020]: do_auth : auth failure: [user=powersj] [service=smtp] [realm=uvt-yakkety] [mech=pam] [reason=PAM auth error] I believe this replicated the issue, can you confirm? [1] https://wiki.debian.org/PostfixAndSASL -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1657897 Title: Failure to report rhosts Status in cyrus-sasl2 package in Ubuntu: Incomplete Bug description: When using sasl2-bin and saslauthd it will fail to work correctly with pam. The first major problem is that that it will fail to report the rhost address in the log which means auth failures cannot be policed and no useful data (the ip address) is reported to the log file. Example below during a password brute force attempt. Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): check pass; user unknown Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= The other issue is that it would be great to be able to ip restrict logins based on pam module configuration. Based on previous reading and as far as I can tell the remote ip address is not supported between the imap/pop/smtp process and sasl2 is it possible to add support for this? Technically this is a long standing security issue because fail2ban cannot be used to process the syslog file and auto block the host during brute force password attempts. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1657897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
