1. sshguard Avatar sshguard
  2. sshguard
  3. sshguard
  4. Issues

OpenSMTPD SMTP auth failure pattern

Issue #127 open
Darren S. created an issue
  • OpenBSD 6.6 amd64
  • OpenSMTPD 6.6.0
  • SSHGuard 2.4.0 from source

Log source: syslog (/var/log/maillog)

Similar to #112 but whereas that involves attempted auth on a SMTP service that doesn’t support auth, this set of logs is on a submission service (587/tcp) that is auth enabled. I think this is related to existing OpenSMTPD log format support, but perhaps the format has changed.

May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp connected address=x.y.113.164 host=ipx-y-113-164.ph.ph.cox.net
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp tls ciphers=TLSv1:ECDHE-RSA-AES256-SHA:256
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:01 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:01 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:05 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:05 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:06 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:06 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:07 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:07 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:07 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=ok
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp disconnected reason=disconnect

Seems like similar challenge in that each log does not include the remote IP address.

Comments (4)

  1. Kevin Zheng
    • changed status to open

    Yes, not having the IP addresses on each line complicates things a bit.

    I think what will be needed is some hacking/feature addition to sshg-parser to recognize session IDs, and associate them with IPs later on. I wonder if the alternative, which is to ask OpenSMTPD developers nicely to include IP addresses in every line, is also possible?

  2. Kevin Zheng

    P.S. You’re on OpenBSD! Looks like ports has caught up to 2.3.1. Is pledge() working for you?

  3. Darren S. reporter

    I haven’t yet tested 2.3.1 from ports or pledge() support yet, just some validation testing in email stack.

    Seems fair to ask about IP support. You or me? :)

  4. Kevin Zheng

    Looks like there’s an opensmtpd misc mailing list; I think I’ll hop on and ask. If you’re not already subscribed, I invite you to join and we’ll see what happens.

  5. Log in to comment
Assignee
Type
proposal
Priority
major
Status
open
Component
parser
Votes
1
Watchers
4
Jira Software: the preferred issue tracker for Bitbucket. Join the team!