Loading ...
Sorry, an error occurred while loading the content.

SASL authentication failure: All-whitespace username

Expand Messages
  • Odilo Schwade Junior
    Hi, our mail server started to show up a warning about the SASL auth, and I m starting to get some issue with pop3 and smtp. I m not able to download the
    Message 1 of 6 , Mar 24 6:42 AM
    • 0 Attachment
      Hi, our mail server started to show up a warning about the SASL auth, and I'm starting to get some issue with pop3 and smtp. I'm not able to download the messages on my mail client, and there is some messages that weren't send by our system.

      I did some research, but couldn't find any useful information related. Could it be a DDoS/Bruteforce attack?

      There are different IP locations.. most of Brazil, Portugal, US..

      Postfix version: postfix-2.7.0,1
      Postfix version (fallback): postfix-2.8.1,1

      I'm using FreeBSD as server.

      The /var/log/maillog shows:

      Mar 24 10:17:10 mailserver postfix/smtpd[9301]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:10 mailserver postfix/smtpd[9301]: warning: unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      Mar 24 10:17:11 mailserver postfix/smtpd[9301]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:11 mailserver postfix/smtpd[9301]: warning: unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      --
      Mar 24 10:17:12 mailserver postfix/smtpd[10175]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:12 mailserver postfix/smtpd[10175]: warning: XXX.XXX.XXX.XXX.dsl.telesp.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      Mar 24 10:17:13 mailserver postfix/smtpd[10175]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:13 mailserver postfix/smtpd[10175]: warning: XXX.XXX.XXX.XXX.dsl.telesp.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      --
      Mar 24 10:17:14 mailserver postfix/smtpd[9939]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:14 mailserver postfix/smtpd[9939]: warning: XXX.XXX.XXX.XXX.static.ctbctelecom.com.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      --
      Mar 24 10:17:15 mailserver postfix/smtpd[9939]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:15 mailserver postfix/smtpd[9939]: warning: XXX.XXX.XXX.XXX.static.ctbctelecom.com.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      --
      Mar 24 10:17:15 mailserver postfix/smtpd[10394]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:15 mailserver postfix/smtpd[10394]: warning: XXX.XXX.XXX.XXX.dsl.telesp.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      --
      Mar 24 10:17:15 mailserver postfix/smtpd[9129]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:15 mailserver postfix/smtpd[9129]: warning: XXX.XXX.XXX.XXX.cslce701.dsl.brasiltelecom.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      Mar 24 10:17:16 mailserver postfix/smtpd[10394]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:16 mailserver postfix/smtpd[10394]: warning: XXX.XXX.XXX.XXX.dsl.telesp.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      --
      Mar 24 10:17:16 mailserver postfix/smtpd[9129]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:16 mailserver postfix/smtpd[9129]: warning: XXX.XXX.XXX.XXX.cslce701.dsl.brasiltelecom.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
      Mar 24 10:17:16 mailserver postfix/smtpd[10072]: warning: SASL authentication failure: All-whitespace username.
      Mar 24 10:17:16 mailserver postfix/smtpd[10072]: warning:XXX.XXX.XXX.XXX.dsl.telesp.net.br[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure

      Anything that I can do to fix this?

      Thanks in advance.

      ps: I know the postfix version is outdated, but I'm waiting until weekend to upgrade it.
    • Victor Duchovni
      ... Is unknown[XXX.XXX.XXX.XXX] your IP address or the IP address of a zombie doing a brute-force attack? If it is your IP address, perhaps your SASL login
      Message 2 of 6 , Mar 24 9:01 AM
      • 0 Attachment
        On Thu, Mar 24, 2011 at 10:42:58AM -0300, Odilo Schwade Junior wrote:

        > Mar 24 10:17:10 mailserver postfix/smtpd[9301]: warning: SASL authentication
        > failure: All-whitespace username.
        > Mar 24 10:17:10 mailserver postfix/smtpd[9301]: warning:
        > unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
        > Mar 24 10:17:11 mailserver postfix/smtpd[9301]: warning: SASL authentication
        > failure: All-whitespace username.
        > Mar 24 10:17:11 mailserver postfix/smtpd[9301]: warning:
        > unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure

        Is "unknown[XXX.XXX.XXX.XXX] your IP address or the IP address of a zombie
        doing a brute-force attack?

        If it is your IP address, perhaps your SASL login name is misconfigured.

        --
        Viktor.
      • Odilo Schwade Junior
        It is not my IP address. I don t know if it s a zombie.. I just think it may be.. XXX.XXX.XXX.XXX = random IPs address. Most of Brazil, Portugal and US as I
        Message 3 of 6 , Mar 24 10:07 AM
        • 0 Attachment
          It is not my IP address. I don't know if it's a zombie.. I just think it may be..
          XXX.XXX.XXX.XXX =  random IPs address. Most of Brazil, Portugal and US as I said earlier.

          thanks

          On Thu, Mar 24, 2011 at 1:01 PM, Victor Duchovni <Victor.Duchovni@...> wrote:
          On Thu, Mar 24, 2011 at 10:42:58AM -0300, Odilo Schwade Junior wrote:

          > Mar 24 10:17:10 mailserver postfix/smtpd[9301]: warning: SASL authentication
          > failure: All-whitespace username.
          > Mar 24 10:17:10 mailserver postfix/smtpd[9301]: warning:
          > unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure
          > Mar 24 10:17:11 mailserver postfix/smtpd[9301]: warning: SASL authentication
          > failure: All-whitespace username.
          > Mar 24 10:17:11 mailserver postfix/smtpd[9301]: warning:
          > unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: generic failure

          Is "unknown[XXX.XXX.XXX.XXX] your IP address or the IP address of a zombie
          doing a brute-force attack?

          If it is your IP address, perhaps your SASL login name is misconfigured.

          --
                 Viktor.



        • Victor Duchovni
          ... You can restrict SASL to TLS only, then perhaps fewer zombies will bother. If you get SASL attempts from TLS-enabled zombies, just make sure your passwords
          Message 4 of 6 , Mar 24 10:38 AM
          • 0 Attachment
            On Thu, Mar 24, 2011 at 02:07:43PM -0300, Odilo Schwade Junior wrote:

            > It is not my IP address. I don't know if it's a zombie.. I just think it may
            > be.. XXX.XXX.XXX.XXX = random IPs address. Most of Brazil, Portugal
            > and US as I said earlier.

            You can restrict SASL to TLS only, then perhaps fewer zombies will bother.
            If you get SASL attempts from TLS-enabled zombies, just make sure your
            passwords are strong enough to not succumb to easy dictionary attacks.

            --
            Viktor.
          • Patrick Ben Koetter
            ... You can also use fail2ban to ban (iptables) clients that have X unsucessful SASL login attempts. p@rick -- All technical questions asked privately will be
            Message 5 of 6 , Mar 24 10:51 AM
            • 0 Attachment
              * Victor Duchovni <postfix-users@...>:
              > On Thu, Mar 24, 2011 at 02:07:43PM -0300, Odilo Schwade Junior wrote:
              >
              > > It is not my IP address. I don't know if it's a zombie.. I just think it may
              > > be.. XXX.XXX.XXX.XXX = random IPs address. Most of Brazil, Portugal
              > > and US as I said earlier.
              >
              > You can restrict SASL to TLS only, then perhaps fewer zombies will bother.
              > If you get SASL attempts from TLS-enabled zombies, just make sure your
              > passwords are strong enough to not succumb to easy dictionary attacks.

              You can also use fail2ban to ban (iptables) clients that have X unsucessful
              SASL login attempts.

              p@rick


              --
              All technical questions asked privately will be automatically answered on the
              list and archived for public access unless privacy is explicitely required and
              justified.

              saslfinger (debugging SMTP AUTH):
              <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
            • weber@zackbummfertig.de
              On Thu, 24 Mar 2011 18:51:16 +0100, Patrick Ben Koetter ... A friend implemented that Method on my Server. It works like a charme.
              Message 6 of 6 , Mar 26 12:39 PM
              • 0 Attachment
                On Thu, 24 Mar 2011 18:51:16 +0100, Patrick Ben Koetter
                <p@...> wrote:
                > * Victor Duchovni <postfix-users@...>:
                >> On Thu, Mar 24, 2011 at 02:07:43PM -0300, Odilo Schwade Junior
                >> wrote:
                >>
                >> > It is not my IP address. I don't know if it's a zombie.. I just
                >> think it may
                >> > be.. XXX.XXX.XXX.XXX = random IPs address. Most of Brazil,
                >> Portugal
                >> > and US as I said earlier.
                >>
                >> You can restrict SASL to TLS only, then perhaps fewer zombies will
                >> bother.
                >> If you get SASL attempts from TLS-enabled zombies, just make sure
                >> your
                >> passwords are strong enough to not succumb to easy dictionary
                >> attacks.
                >
                > You can also use fail2ban to ban (iptables) clients that have X
                > unsucessful
                > SASL login attempts.

                A friend implemented that Method on my Server. It works like a charme.

                >
                > p@rick
              Your message has been successfully submitted and would be delivered to recipients shortly.