- changed status to open
OpenSMTPD SMTP auth failure pattern
Issue #127
open
- OpenBSD 6.6 amd64
- OpenSMTPD 6.6.0
- SSHGuard 2.4.0 from source
Log source: syslog (/var/log/maillog)
Similar to #112 but whereas that involves attempted auth on a SMTP service that doesn’t support auth, this set of logs is on a submission service (587/tcp) that is auth enabled. I think this is related to existing OpenSMTPD log format support, but perhaps the format has changed.
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp connected address=x.y.113.164 host=ipx-y-113-164.ph.ph.cox.net
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp tls ciphers=TLSv1:ECDHE-RSA-AES256-SHA:256
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:01 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:01 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:02 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:03 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:04 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:05 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:05 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:06 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:06 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:07 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:07 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:07 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=permfail
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed"
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp authentication user=jefferson.brinks result=ok
May 26 00:20:08 mx01 smtpd[9904]: ce7a8154503699d2 smtp disconnected reason=disconnect
Seems like similar challenge in that each log does not include the remote IP address.
Comments (4)
-
-
P.S. You’re on OpenBSD! Looks like ports has caught up to 2.3.1. Is pledge() working for you?
-
reporter
I haven’t yet tested 2.3.1 from ports or pledge() support yet, just some validation testing in email stack.
Seems fair to ask about IP support. You or me? :)
-
Looks like there’s an opensmtpd misc mailing list; I think I’ll hop on and ask. If you’re not already subscribed, I invite you to join and we’ll see what happens.
- Log in to comment
Yes, not having the IP addresses on each line complicates things a bit.
I think what will be needed is some hacking/feature addition to
sshg-parserto recognize session IDs, and associate them with IPs later on. I wonder if the alternative, which is to ask OpenSMTPD developers nicely to include IP addresses in every line, is also possible?