• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Mailbox search attemps flood my logs

Franco

Franco

Regular Pleskian
Hello,
on my VPS maillog I see all sorts of hacking attempts of the kind:

plesk_saslauthd[4978]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[4978]: failed mail authenticatication attempt for user '[email protected]' (password len=11)

or it can be test@ or service@, etc.

I hardly run any mail service on my VPS and I don't want to be flooded with such attempts for nonexisting mailboxes and users. How can I stop or prevent them?
I run fail2ban with various jails including dovecot and others, or shall I intervene at the firewall level?
Any help, please?
Franco
 
I have the plesk sasl jail alreay enabled with:
[postfix-sasl]
enabled = true
maxretry = 4

but no IP addresses currently banned on that. Or is it another kind of jail I should use?
 
@Franco

If you go to "Jails > Manage Filters > postfix-sasl" and inspect the regexp, then you should be aware that your regexp "failed mail authenticatication attempt for user" will not match.

A little bit of adjustment would allow Fail2Ban to actually ban some IPs.

Regards....
 
Hi Trialotto, thanks a lot for that, hopefully I fixed it by now. And I realized a few other jails did not have an action in place...
 
@Franco,

No problem, thanks for the thanks.

By the way, I am working on some improvements for Fail2Ban: one new jail (with a specific action), some new settings and some (much desired) added functionality.

Feel free to contribute, just start a conversation if you want to do that.

Anyway, remember me to keep you posted about the before mentioned improvements.

Regards....
 
You must log in or register to reply here.

Similar threads

X
Question How To Setup Outgoing Only Mail
Replies
1
Views
188
scsa20
scsa20
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
1K
Peter Debik
P
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
michaeljoseph01
Question How to block non-mail traffic to certain ip?
Replies
1
Views
991
MarkM
MarkM
S
Question How to prevent of this mail attacks?
Replies
5
Views
2K
Monty
Monty
Back
Top