Postfix scenrios - SASL LOGIN authentication failed

toz · January 10, 2023, 11:34am

I am wondering if CrowdSec is currently covering the “SASL LOGIN authentication failed” scenario. I have read this thread (one year old) New install, postfix / IMAP and it appears that Fail2Ban does but Crowdsec not yet?

In any case, I have the postfix scenarios installed but my log is full of authentication attempts, with individual IPs trying 20 times and more.

postfix/submission/smtpd[1994969]: warning: unknown[141.98.10.106]: SASL LOGIN authentication failed:

As a workaround a created a script which filters out those IPs followed by

cscli decisions add --ip $ip

Should Crowdsec catch these already? If not, any plans?

toz · January 16, 2023, 2:37pm

Closed with Discord

cybermcm · March 24, 2023, 10:41am

@toz: I have the same issue, followed the discourse discussion, but I do not get the solution. Is there any?

blu-IT · April 4, 2023, 8:33am

Tried to look for the solution on Discord, following the link says: “You are on a strange place…” Well something lilke, the post ist not found.

Can someone help or paste the solution here? Thanks!

toz · April 4, 2023, 10:01am

What I ended up doing is increasing some of the default values of the scenario.
I can’t look it up for you right now I am afraid, as I am currently not able to log on to this horrible, blinking Discord mess.

Apparently I am logging in from a new location (which I don’t), and by the time the confirmation email arrives the token expired…

blu-IT · April 11, 2023, 9:16am

@toz

Thanks, I appreciate your help! Maybe it is a good idea to tranfer the solution in this place here, where it has the chance to be permanent accessible.
I found only this and another post regarding “postfix-sasl” and this post here provides a solution that unfortunately “disapeared”