postfix sasl custom regex not working

4 posts Page 1 of 1
rick111
Junior Member
Posts: 6
Joined: 04 Sep 2013, 16:16


Hi

I've read through quite a few posts on this forum and no one else seems to have the issue I'm having. I can't even get csf to register the postfix sasl attacks.

Centos 6.3
/etc/csf/regex.custom.pm
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Za-z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}
POP3D_LOG and CUSTOM1_LOG both point to /var/log/maillog

I've tried a few variations of the rules from this forum but not seem to pick up the auth failures.

Example of auth failure
Code: Select all
Sep  5 14:02:38 li622-171 postfix/smtpd[5710]: connect from removed[5.135.157.207]
Sep  5 14:02:41 li622-171 postfix/smtpd[5710]: warning: removed[5.135.157.207]: SASL login authentication failed: authentication failure
Sep  5 14:02:52 li622-171 postfix/smtpd[5710]: NOQUEUE: reject: RCPT from removed[5.135.157.207]: 554 5.7.1 <removed>: Relay access denied; from=<removed> to=<tremoved> proto=ESMTP helo=<NanoOVH>
I've tried it many times, but the attempt is never blocked.

Thanks
Last edited by rick111 on 30 Oct 2015, 14:18, edited 2 times in total.
rick111
Junior Member
Posts: 6
Joined: 04 Sep 2013, 16:16


So something strange happened over the weekend. With all my tests I couldn't ban SASL fails, but then I got this.
Code: Select all
Sep  8 19:41:17 li622-171 postfix/smtpd[16954]: warning: unknown[89.248.172.122]: SASL LOGIN authentication failed: authentication failure 
Sep  8 19:43:29 li622-171 postfix/smtpd[16954]: warning: unknown[89.248.172.122]: SASL LOGIN authentication failed: bad protocol / cancel 
Sep  8 19:43:53 li622-171 postfix/smtpd[16954]: warning: unknown[89.248.172.122]: SASL LOGIN authentication failed: authentication failure
Code: Select all
Sep  8 19:43:55 li622-171 lfd[17033]: (mysaslmatch) Failed SASL login from 89.248.172.122 (NL/Netherlands/-): 3 in the last 3600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
So then I tried again myself
Code: Select all
Sep  9 14:29:17 li622-171 postfix/smtpd[2155]: warning: unknown[5.135.157.207]: SASL login authentication failed: authentication failure
No ban.......... very confusing.
rick111
Junior Member
Posts: 6
Joined: 04 Sep 2013, 16:16


I was editing /etc/cfs/regex.custom.pm instead of /usr/local/csf/bin/regex.custom.pm..................

fixed now
rick111
Junior Member
Posts: 6
Joined: 04 Sep 2013, 16:16


reference as I come back to this post to help configure the rule, you change the custom_log location in /etc/csf/csf.conf

and for debian the mail file is /var/log/mail.log

to restart csf
su
csf -r (however i think it's lfd you need to restart which i did via webmin)
4 posts Page 1 of 1