• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Mailbox search attemps flood my logs

Franco

Franco

Regular Pleskian
Hello,
on my VPS maillog I see all sorts of hacking attempts of the kind:

plesk_saslauthd[4978]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[4978]: failed mail authenticatication attempt for user '[email protected]' (password len=11)

or it can be test@ or service@, etc.

I hardly run any mail service on my VPS and I don't want to be flooded with such attempts for nonexisting mailboxes and users. How can I stop or prevent them?
I run fail2ban with various jails including dovecot and others, or shall I intervene at the firewall level?
Any help, please?
Franco
 
I have the plesk sasl jail alreay enabled with:
[postfix-sasl]
enabled = true
maxretry = 4

but no IP addresses currently banned on that. Or is it another kind of jail I should use?
 
@Franco

If you go to "Jails > Manage Filters > postfix-sasl" and inspect the regexp, then you should be aware that your regexp "failed mail authenticatication attempt for user" will not match.

A little bit of adjustment would allow Fail2Ban to actually ban some IPs.

Regards....
 
Hi Trialotto, thanks a lot for that, hopefully I fixed it by now. And I realized a few other jails did not have an action in place...
 
@Franco,

No problem, thanks for the thanks.

By the way, I am working on some improvements for Fail2Ban: one new jail (with a specific action), some new settings and some (much desired) added functionality.

Feel free to contribute, just start a conversation if you want to do that.

Anyway, remember me to keep you posted about the before mentioned improvements.

Regards....
 
You must log in or register to reply here.

Similar threads

X
Question How To Setup Outgoing Only Mail
Replies
5
Views
965
george-the-guy
G
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
535
Polli
Polli
W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
464
W4ru
W
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
2K
scpcomp
S
Back
Top