Resolved What plesk_saslauthd is for?

[Cristian Rodriguez]

What is the goal of this line inside postfix/main.cf?

plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

i have notice today about a brute force attack, i had installed Fail2ban but it is not banning this attemps so i saw that this attemps were related to one process PID asociated with plesk_saslauthd after looking for a response in internet i did not find any important related with this issue. I went to postfix/master.cf and i saw this line that is the same appearing in the PID details, i deleted this line from the file and now these attemps disappeared from /var/log/maillog.

My questions what this line do? is this important and why is it there?

What call to my atenttion is that normal attemps are managed througth postfix/smtp not througth plesk_saslauthd, so i guess this attemps come from an script in a subscriition inside my server. email server is workin correctly so maybe i do not need to add this line in postfix/master.cf

Log from maillog

20:04:34 mail plesk_saslauthd[23595]: failed mail authentication attempt for user '[email protected]' (password len=13)

[root@mail xxxxx.xxx]# ps aux | grep 23595
postfix 23595 0.0 0.0 94764 5100 ? S 17:26 0:01 plesk_saslauthd -l -t unix -u status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

UPDATE

After disable this line this logs are shown, may be the same login attempts

Jun 4 21:14:54 mail postfix/smtpd[20834]: warning: SASL authentication failure: cannot connect to saslauthd server: Connection refused

It seems it solved the problem

 

[AYamshanov]

Hi Cristian Rodriguez,

Did you see SMTP authorization does not work with Postfix MTA in Plesk: "SASL login authentication failed" ? Did you check authorization to the e-mail server, is it works correctly? How are you authorize on the e-mail server?

 

[Cristian Rodriguez]

Thank you for your response

Regarding the link you provide i have no problems with sending, receiving emails and neither with pop3/imap/smtp authentication everything is working fine, my question in more related to what does this line is for?

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

If i uncomment it on master.cf a lot of smtp login attemps are made from unknown locations, no IP address is asociated with every log i can not block them with fail2ban due to this fact, so, if i comment this line this attemps are banned, all these are brute force attacks.

All email users should be authenticated in order to send emails, in general email server works better without that line, no problem has been detected after 24 hour of being commented that line.


[root@mail xxxx.xx]# cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: auxprop saslauthd
auxprop_plugin: plesk
saslauthd_path: /var/spool/postfix/private/plesk_saslauthd
mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
auto_transition: yes
sql_engine: intentionally disabled
log_level: 4

[root@mail xxxxx.xx]# service saslauthd status
saslauthd (pid 13374) is running...

 

[AYamshanov]

Looks like with this configuration you disabled ability using SMTP AUTH in your e-mail server.

That's why you don't see new warnings in logs about failed mail authentication attempt and that's why you see warning about smtpd can't connect to saslauthd server.

---

Errors like 'failed mail authentication attempt for user '[email protected]' show that viruses try brute-force login/password for the email accounts from the Internet.

This warning is not an error; you can enable fail2ban and it will ban such viruses by IP after few failed attempt (Fail2ban keeps banning IP address: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure)

 

[Cristian Rodriguez]

SMTP AUTH is working correcty in all the 70 server's subscriptions no problems has been reported, so i guess this line is not necesary, after delete line:

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

After disable that line this log:
failed mail authentication attempt for user '[email protected]'

Has changed to this:
warning: SASL authentication failure: cannot connect to saslauthd server: Connection refused

So i think it helped to block this brute force atacks, Fail2ban needs an IP as referece but in the first log there is no IP the only thing i can get is a Process ID so fail2ban was not blocking this attemps, fail2ban only blocks attemps like unknown[203.0.113.2]: SASL LOGIN authentication failed.

I have tested every posible SMTP configuration and all of them works correctly, by now disabling this line seems to make my dedicate server safer.

 

[stou]

Hey Christian,
Thanks for this solution.
Is this still valid?

In this way you stopped sending through webmail. Are you aware that?

 

[mar-ek]

Hi everyone! If you want to improve Plesk security, please vote for this feature to add IP address and non-existent mailbox management. It could help protect your email accounts from brute force attacks.

Here’s the link: Add IP Address and "non-existent mailbox" to plesk_saslauthd Authentication Logs

 

[learning_curve]

Hi everyone! If you want to improve Plesk security, please vote for this feature to add IP address and non-existent mailbox management. It could help protect your email accounts from brute force attacks.

Here’s the link: Add IP Address and "non-existent mailbox" to plesk_saslauthd Authentication Logs

@mar-ek Back in 2018, we agreed with the OP & adopted his suggestions of the edit/ removal.
It worked perfectly (for us) and we never had the issues suggested in post #6 above.
However, there's obviously been lots of changes / OS releases / Plesk releases etc since the OP started this thread.
Hence, the suggested edit / removal was subsequently reversed by us and made operational again.
You've not stated what OS / What Plesk release you are using, but, have you had a chance to examine the content of /var/log/syslog recently?
IP addresses of attemped brute force attacks / non-existent mailboxes / fake logins to existing mailboxes etc are displayed there (with our config anyway).
Here is an example (sanitised with the exception of the offending IP) that's been extracted from a recent copy of that log:

2024-09-22T13:41:32.954376+00:00 data postfix/smtpd[56364]: connect from unknown[31.177.33.120]
2024-09-22T13:41:35.688952+00:00 data plesk_saslauthd[56376]: failed mail authentication attempt for user '********' (password len=8)
2024-09-22T13:41:35.689271+00:00 data postfix/smtpd[56364]: warning: unknown[31.177.33.120]: SASL LOGIN authentication failed: authentication failure, sasl_username=********
2024-09-22T13:41:36.039098+00:00 data postfix/smtpd[56364]: lost connection after AUTH from unknown[31.177.33.120]
2024-09-22T13:41:36.039174+00:00 data postfix/smtpd[56364]: disconnect from unknown[31.177.33.120] ehlo=1 auth=0/1 commands=1/2
2024-09-22T13:42:05.719432+00:00 data plesk_saslauthd[56376]: select timeout, exiting

Did you need more than that? Or was it something else that's not covered in there? If you use a firewall, like say Danami Juggernaut as we do (available direct, or as a purchased Plesk 3rd Party Extension) or others, then your can configure it to detect fast, repetitive attempts from the same IP and/or multiple attempts from different IP's and instantly deny them any access. Fail2Ban is a free alternative via Plesk (we don't use it as Fail2Ban / Juggernaut are mutually exclusive).