# saslauthd + sendmail + sshguard: How To



## aupanner (Sep 30, 2014)

Like other users I've installed security/cyrus-sasl2-saslauthd in order to have authentication for relaying connections to sendmail(), and like them I've found that this opens up a new route for crackers to try brute forcing passwords.  This is compounded by sasl's failure to log an ipaddress.  A fix to sasl has been requested repeatedly over the years (since at least 2009), but its a breaking change so it'll probably never happen.  

/var/log/auth.log

```
Sep 30 09:07:53 localhost saslauthd[837]: do_auth         : auth failure: [user=Administrator] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
```

But by increasing sendmail's LogLevel to 10, you can have it do the required logging.

/var/log/maillog

```
Sep 30 09:07:53 localhost sm-mta[3680]: s8UG7MuL003680: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed, relay=zonetel-bb-209-203.zonetel.com.sg [103.28.209.203] (may be forged)
Sep 30 09:07:53 localhost sm-mta[3680]: s8UG7MuL003680: AUTH failure (CRAM-MD5): user not found (-20) SASL(-13): user not found: no user in db, relay=zonetel-bb-209-203.zonetel.com.sg [103.28.209.203] (may be forged)
```

Once you have attacks logged, you can use security/sshguard, which parses log files and watches for attacking behavior, blocking abusers via a variety of mechanisms.  (Or failtoban, etc.)  Unfortunately stock sshguard doesn't know the above attack signature, so it needs to be added manually.

/usr/ports/security/sshguard/files/patch-src-parser-attack_parser.y

```
--- src/parser/attack_parser.y.orig        2014-09-29 16:24:45.469552703 -0700
+++ src/parser/attack_parser.y     2014-09-29 16:33:26.847547246 -0700
@@ -102,7 +102,7 @@
 /* exim */
 %token EXIM_ESMTP_AUTHFAIL_PREF EXIM_ESMTP_AUTHFAIL_SUFF
 /* sendmail */
-%token SENDMAIL_RELAYDENIED_PREF SENDMAIL_RELAYDENIED_SUFF
+%token SENDMAIL_RELAYDENIED_PREF SENDMAIL_RELAYDENIED_SUFF SENDMAIL_FAILAUTH_PREF SENDMAIL_FAILAUTH_SUFF
 /* FreeBSD's FTPd */
 %token FREEBSDFTPD_LOGINERR_PREF FREEBSDFTPD_LOGINERR_SUFF
 /* proFTPd */
@@ -315,8 +315,10 @@
    EXIM_ESMTP_AUTHFAIL_PREF addr EXIM_ESMTP_AUTHFAIL_SUFF
    ;

+/* sendmail */
 sendmailmsg:
-   SENDMAIL_RELAYDENIED_PREF addr SENDMAIL_RELAYDENIED_SUFF;
+   SENDMAIL_RELAYDENIED_PREF addr SENDMAIL_RELAYDENIED_SUFF
+   | SENDMAIL_FAILAUTH_PREF addr SENDMAIL_FAILAUTH_SUFF
    ;

 /* attack rules for FreeBSD's ftpd */
```

/usr/ports/security/sshguard/files/patch-src-parser-attack_scanner.l

```
--- src/parser/attack_scanner.l.orig       2011-02-09 04:01:47.000000000 -0800
+++ src/parser/attack_scanner.l    2014-09-29 16:30:31.755547337 -0700
@@ -66,7 +66,7 @@
  /* for Login services */
 %s ssh_notallowed ssh_loginerr ssh_reversemap
  /* for Mail services */
-%s dovecot_loginerr  cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied
+%s dovecot_loginerr  cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied sendmail_failauth
  /* for FTP services */
 %s freebsdftpd_loginerr  proftpd_loginerr  pureftpd_loginerr vsftpd_loginerr

@@ -127,7 +127,7 @@


  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
-"Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
+[Ii]"nvalid user ".+" from "                         { return SSH_INVALUSERPREF; }
  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
 "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
@@ -166,6 +166,9 @@
 "Relaying denied. IP name lookup failed ["                      { BEGIN(sendmail_relaydenied); return SENDMAIL_RELAYDENIED_PREF; }
 <sendmail_relaydenied>"]"                                       { BEGIN(INITIAL); return SENDMAIL_RELAYDENIED_SUFF; }

+.+": authentication failure: checkpass failed, relay="[^\[]*"[" { BEGIN(sendmail_failauth); return SENDMAIL_FAILAUTH_PREF; }
+<sendmail_failauth>"]"(" (may be forged)")?                     { BEGIN(INITIAL); return SENDMAIL_FAILAUTH_SUFF; }
+
  /* dovecot */
 "imap-login: Aborted login (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
 <dovecot_loginerr>", lip=".+                                        { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; }
```

You'll need to install bison in order to process the yacc file.  (byacc doesn't work.)

Update sendmail LogLevel to >= 10 and restart it
install patch files to /usr/ports/security/sshguard/files
install devel/bison port
make clean and rebuild sshguard-pf (or whichever flavor of sshguard you're using)
test sshguard with the new attack pattern (env SSHGUARD_DEBUG=foo /usr/obj/usr/ports/security/sshguard-pf/work/stage/usr/local/sbin/sshguard)
if all ok, install the new sshguard and restart it
profit

I see both quick attacks (seconds between tries), and slow attacks (~2 hours between tries), so you might need to adjust your sshguard (or equivalent) parameters accordingly.


----------



## Donald Baud (May 7, 2017)

Just to update this valuable post.

I tested security/sshguard today and it seems it nolonger requires any patch to defend from brute force SASL Auth 

You still need to raise Sendmail's log level to 10 though.
The way I do it, is to add to the .mc sendmail file:
define(`confLOG_LEVEL', `10')


----------



## proton1234 (Dec 15, 2019)

aupanner said:


> Like other users I've installed security/cyrus-sasl2-saslauthd in order to have authentication for relaying connections to sendmail(),


I installed saslauthd too but unable to get it working could you provide a kind of step by step guide please.
I tried to replicate this guide https://www.freebsd.org/doc/handbook/SMTP-Auth.html
but on step 4 there is no make.conf file in my system.


----------



## T-Daemon (Dec 15, 2019)

proton1234 said:


> ... but on step 4 there is no make.conf file in my system.


Wouldn't the logical conclusion be to create one?


----------



## proton1234 (Dec 15, 2019)

T-Daemon said:


> Woudn't the logical conclusion be to create one?


no because I don't know for what OS version this guide


----------



## T-Daemon (Dec 15, 2019)

/etc/make.conf does not depend on a OS version. Have a look at make.conf(5). While we are at it also at make(1), and ports(7).


----------



## proton1234 (Dec 15, 2019)

T-Daemon said:


> /etc/make.conf does not depend on a OS version. Have a look at make.conf(5). While we are at it also at make(1), and ports(7).


I found other way I simply did the following
/usr/ports/mail/sendmail/make config 
enabled sasl and saslauthd
/usr/ports/mail/sendmail/make install clean
and that did the trick


----------



## proton1234 (Dec 15, 2019)

sendmail test@mailbox.com sending emails but cron emails and other system emails aren't sent to 3rd party smtp server.


----------



## proton1234 (Dec 15, 2019)

Would it be enough to use nullclient to forward all mail or smart_host is needed too?

```
FEATURE(`nullclient',`mta.external.com') dnl
define(`SMART_HOST',`mta.external.com') dnl
```


----------

