Dear all I am using Fail2Ban v0.8.13 on CentOS 6 system in order to protect my Postfix servers. Basically it works so after 5 wrong login attempts on SMTP I get banned.
Fail2Ban Jail conf
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected], [email protected]]
logpath = /var/log/maillog
maxretry = 5
My sasl settings in main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
My smtp.conf (Postfix)
pwcheck_method: saslauthd
mech_list: login CRAM-MD5 DIGEST-MD5
My EHLO Status (Postfix)
EHLO mail.xxx.ch
250-mail.xxx.ch
250-PIPELINING
250-SIZE 50480000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 DIGEST-MD5
250-AUTH=LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
The issue I have is that when I send with MS Outlook 2016 five times successfully a mail the 6th mail get blocked.
I assume it is an issue because Outlook tries mutliple auth methods and some of them fail before login successully in to SMTP Postfix server
Has somebody an idea how I can solve this problem, e.g. so the counter of Fail2Ban get resetted after successful login? Or how can I optimize postfix sasl settings so outlook has not to try mutliple auth methods until one works? So according the log file it fails on MD5 Digest Method and then switches over to Login method.
extract from maillog (postfix)
Mar 8 23:38:44 postfix/smtpd[9295]: setting up TLS connection from 84-74-210-140.dclient.hispeed.ch[84.74.210.140]
Mar 8 23:38:44 postfix/smtpd[9295]: Anonymous TLS connection established from 84-74-210-140.dclient.hispeed.ch[84.74.210.140]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 8 23:38:44 postfix/smtpd[9295]: warning: SASL authentication failure: realm changed: authentication aborted
Mar 8 23:38:44 postfix/smtpd[9295]: warning: 84-74-210-140.dclient.hispeed.ch[84.74.210.140]: SASL DIGEST-MD5 authentication failed: authentication failure
Mar 8 23:38:45 postfix/smtpd[9295]: 0AF2127E0113: client=84-74-210-140.dclient.hispeed.ch[84.74.210.140], sasl_method=LOGIN, sasl_username=xxxx
as requested from the discussion below I added the relevant filters from Fail2ban
postfix-sasl.conf
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
sasl.conf
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
I did not found much information if the DIGEST-MD5 is properly working in conjunction with Outlook and Postfix. Most threads / discussions about this topic which I have found recommended to remove simple the DIGEST-MD5 method from the mech list.
My smtp.conf (Postfix)