SMTP auth & DoS filter

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
rulezz
Posts: 2
Joined: Thu Nov 23, 2017 7:38 am

SMTP auth & DoS filter

Postby rulezz » Wed Dec 05, 2018 9:08 am

Hello!

It seems repetitive smtp auth failures do not trigger DoS filter. I see lot of messages in my zimbra.log

Code: Select all

Dec  4 12:34:17 mail postfix/smtpd[19169]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:19 mail postfix/smtpd[19745]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:23 mail postfix/smtpd[19169]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:27 mail postfix/smtpd[19169]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:30 mail postfix/smtpd[19745]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:33 mail postfix/smtpd[19169]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:37 mail postfix/smtpd[19745]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:40 mail postfix/smtpd[19169]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:41 mail postfix/smtpd[19745]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:43 mail postfix/smtpd[19169]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure
Dec  4 12:34:45 mail postfix/smtpd[19745]: warning: unknown[49.73.158.65]: SASL LOGIN authentication failed: authentication failure


But IP 49.73.158.65 is not suspended. So there is possibility to brute force account password by SMTP auth. How can I prevent it?
Where is SASL log in zimbra? How can I figure out which account was used for auth?


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 448
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P12 RHEL6 Network Edition
Contact:

Re: SMTP auth & DoS filter

Postby JDunphy » Wed Dec 05, 2018 1:50 pm

I haven't tested this but @lapsy added support in this script to display exactly for what you are asking provided you are running 8.8+.
https://github.com/JimDunphy/ZimbraScripts/blob/master/src/check_login.pl
The script will print a user and then all the ip addresses and type of failures (ie. pop/imap/web/smtp etc). I don't have 8.8+ so can't validate if it works for the smtp problem you are describing. My understanding the script can now handle this.Note: He also added the search feature so you can do a -s user and it will only do that email account on subsequent queries.
Ref:https://forums.zimbra.org/viewtopic.php?f=15&t=61294&hilit=check_login.pl
User avatar
fferraro87
Advanced member
Advanced member
Posts: 88
Joined: Thu Apr 28, 2016 8:58 am

Re: SMTP auth & DoS filter

Postby fferraro87 » Wed Dec 05, 2018 2:20 pm

JDunphy wrote:I haven't tested this but @lapsy added support in this script to display exactly for what you are asking provided you are running 8.8+.
https://github.com/JimDunphy/ZimbraScripts/blob/master/src/check_login.pl
The script will print a user and then all the ip addresses and type of failures (ie. pop/imap/web/smtp etc). I don't have 8.8+ so can't validate if it works for the smtp problem you are describing. My understanding the script can now handle this.Note: He also added the search feature so you can do a -s user and it will only do that email account on subsequent queries.
Ref:https://forums.zimbra.org/viewtopic.php?f=15&t=61294&hilit=check_login.pl

that script is awesome! thanks Jim
xmana
Posts: 9
Joined: Tue Mar 21, 2017 12:58 pm

Re: SMTP auth & DoS filter

Postby xmana » Wed Jan 23, 2019 2:04 pm

JDunphy wrote:I haven't tested this but @lapsy added support in this script to display exactly for what you are asking provided you are running 8.8+.
https://github.com/JimDunphy/ZimbraScripts/blob/master/src/check_login.pl
The script will print a user and then all the ip addresses and type of failures (ie. pop/imap/web/smtp etc). I don't have 8.8+ so can't validate if it works for the smtp problem you are describing. My understanding the script can now handle this.Note: He also added the search feature so you can do a -s user and it will only do that email account on subsequent queries.
Ref:https://forums.zimbra.org/viewtopic.php?f=15&t=61294&hilit=check_login.pl


The script is wonderful! Thanks to the author!

Is there a ready-made solution for automatically blocking addresses from which brute force comes from?

By all protocols (POP3 / WEB / IMAP etc.)

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 27 guests