Bug#1035525: sendmail-bin: Change log level of saslauthd failed auth attempts

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1035525: sendmail-bin: Change log level of saslauthd failed auth attempts
From: E Harris <eharris@puremagic.com>
Date: Thu, 04 May 2023 13:58:15 -0500
Message-id: <[🔎] 168322669519.684776.4613503259243607400.reportbug@kinison.puremagic.com>
Reply-to: E Harris <eharris@puremagic.com>, 1035525@bugs.debian.org

Package: sendmail-bin
Version: 8.15.2-22
Severity: normal
Tags: upstream

It seems to be a pretty big security issue that there is no coherent reporting/logging
of failed auth login attempts when using saslauthd with sendmail.

The saslauthd log lines for failed auth attempts are similar to this:

May 04 13:32:49 somehost saslauthd[2996]:                 : auth failure: [user=mailtest] [service=smtp] [realm=somerealm] [mech=pam] [reason=PAM auth error]

But saslauthd does not report the ip address that originated the auth attempt
(probably because it doesn't know it?), and sendmail (by default) doesn't seem
to report the failed auth attempt at all.

This deficiency prevents trying to take active steps (for example using fail2ban) to
try to protect against repeated brute force auth hacking attempts.

I think that sendmail may already have the ability to report AUTH failures, but that those
are only enabled with high log levels that include lots of other log spam.

It seems to me that a failed auth login should be reported by default by sendmail,
since it both knows the IP the attempt originated from, as well as the status of the
auth attempt, and I would like to see this reporting enabled in the standard packages.

If there is a way to easily indicate that the auth attempt is for a user that doesn't
even exist, that would be even better, as that would be a pretty clear indication of a
potential hack attempt.

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sendmail-bin depends on:
ii  debconf              1.5.77
ii  init-system-helpers  1.60
ii  libc6                2.31-13+deb11u5
ii  libdb5.3             5.3.28+dfsg1-0.8
ii  libldap-2.4-2        2.4.57+dfsg-3+deb11u1
ii  liblockfile1         1.17-1+b1
ii  libnsl2              1.3.0-2
ii  libsasl2-2           2.1.27+dfsg-2.1+deb11u1
ii  libssl1.1            1.1.1n-0+deb11u4
ii  libwrap0             7.6.q-31
ii  lsb-base             11.1.0
ii  procps               2:3.3.17-5
ii  sendmail-base        8.15.2-22
ii  sendmail-cf          8.15.2-22

sendmail-bin recommends no packages.

Versions of packages sendmail-bin suggests:
ii  libsasl2-modules  2.1.27+dfsg-2.1+deb11u1
ii  openssl           1.1.1n-0+deb11u4
ii  sasl2-bin         2.1.27+dfsg-2.1+deb11u1
ii  sendmail-doc      8.15.2-22

Versions of packages libmilter1.0.1 depends on:
ii  libc6  2.31-13+deb11u5

-- no debconf information

Reply to:

Prev by Date: Bug#1035504: canna: [INTL:tr] turkish translation of debconf messages
Next by Date: Qualified Projects.
Previous by thread: Bug#1035504: canna: [INTL:tr] turkish translation of debconf messages
Next by thread: Qualified Projects.
Index(es):
- Date
- Thread