1

I have recently notice that my server was reporting at mail.log a lot of bad authentications for know users, and its not a brute force attack. And i really dont know the cause of such authentications. I have users using, Gmail App, Mail at IOS, Mail app at MacOSX, ThunderBird and Outlooks, and also a webmail service to access to this server. In this server i have a self-signed certificate and is also working as a mail smart host. This system is a MacOSX 10.9.5.

From all the platforms, Outlook is the only one who have a strange behaviour while is connected to this server. Is constantly showing a annoying login popup with the credentials of the user, out from nowhere, and this happens with all my Outlook users. Users can use Outlook to send and receive, and all seems to work, except that login popup.

From my mail.log i have this issue with SAL DIGEST-MD5, SASL PLAIN and SASL CRAM-MD5, for example some random samples:

Jan 19 11:43:43 remote.x.pt postfix/smtpd[53889]: error: validate response: authentication failed for user=lcg (method=DIGEST-MD5)
Jan 19 11:43:43 remote.x.pt postfix/smtpd[53889]: warning: unknown[192.168.1.72]: SASL DIGEST-MD5 authentication failed

Jan 18 17:10:46 remote.x.pt postfix/smtpd[5838]: error: verify password: authentication failed: user=teste2@x.pt
Jan 18 17:10:46 remote.x.pt postfix/smtpd[5838]: warning: hq2.pacsis.pt[x]: SASL PLAIN authentication failed

Jan 16 15:13:06 remote.x.pt postfix/smtpd[17510]: error: validate response: authentication failed for user=teste3 (method=CRAM-MD5)
Jan 16 15:13:06 remote.x.pt postfix/smtpd[17510]: warning: remote.x.pt[192.168.1.1]: SASL CRAM-MD5 authentication failed

The first attempt was from Outlook, the second one i think it came from the mail webservice and the third from Mail app.

I cannot figure out what is causing this, but since i have bad auths from several different software clients i assume that there is something in my postfix or at dovecot configs.

Here you can check both configs:

Postfix: http://pastebin.com/EU1iLjAP

Dovecot: http://pastebin.com/N9MfuvkD

Ports being used:

  • 587 SMTP STARTLS

  • 993 IMAP SSL

UPDATE 1:

This is what is happening, here you can see that after a bad authentication at first, next it authenticate successfully:

Jan 19 14:33:05 remote.x.pt postfix/smtpd[62409]: error: validate response: authentication failed for user=lcg (method=DIGEST-MD5)
Jan 19 14:33:05 remote.x.pt postfix/smtpd[62409]: warning: unknown[192.168.1.72]: SASL DIGEST-MD5 authentication failed
Jan 19 14:33:05 remote.x.pt postfix/smtpd[62409]: verify password: AUTH PLAIN: authentication succeeded for user=lcg

UPDATE2:

It seems like my server doesnt allow DIGEST-MD5 and CRAM-MD5 and then it switchs to PLAIN, for certain users. At localhost i can use at least CRAM-MD5 without problem.

marafado88
  • 372
  • 2
  • 8
  • 27
  • Why do you think that is not a BF-attack? – Kondybas Jan 19 '17 at 13:00
  • Because there is no patterns and it doesnt have lots of attempts in a short period of time. (I already had a BF attack before and i know the behaviour of this server with it) – marafado88 Jan 19 '17 at 14:01

1 Answers1

1

The problem that your are having is a Dovecot problem not postfix.
So you can understand how Dovecote Authentication read this please:

You must understand that if the passwords for your client is saved in the Database in plain-text, then you can use cram-md5 and digest-md5 (auth_mechanisms = plain login cram-md5 digest-md5). But if the Password in the database is encrypted; lets say with one of encryption schemes mention on the Dovecote Documents here:
http://wiki2.dovecot.org/Authentication/PasswordSchemes , then you can't use cram-md5, unless the password is already saved in the database with cram-md5 hash. This is confusing, so you understand better, lets say I have an email account with you so I log-in:
Email Client ----->password--->Email-server will check database and there are 3 scenarios that I can see:

  • 1st -Scenario the password in database is saved in Plain text:
    Email-server--(auth_mechanisms = plain login cram-md5 digest-md5)-->Your password Scheme(none)---->Database cram-md5(password)/or/ digest-md5(password)/or/plain password: So the logging password going to matches with database plain-text saved password.

  • 2nd-Scenario the password in the Database is saved with SHA512-CRYPT:
    EmailServer-- auth_mechanisms(plain login)--→Email-server—check password--->default_pass_scheme = SHA512-CRYPT ----SHA512-CRYPT(password) ---→database(ALREADY SHA512-CRYPT Password) – Log-in Match

  • 3rd-Scenario the Database password is encrypted with carm-md5:
    Email-server---->auth_mechanisms(plain login cram-md5)--→Email-server---check password---default_pass_scheme =cram-md5--> cram-md5(password)---->database(password already saved in cram-md5 password) – Log-in Match

So you either encrypt or not the database password and use SSL/TLS and make auth_mechanisms="plain login" or:
If you don't want to use SSL make the auth_mechanisms=cram-md5 and store password in the DB as a cram-md5 if you want to use DIGEST-MD5 and CRAM-MD5 your password must be stored in PLAIN_TEXT.
So using only CRAM-MD5, Password in database can be CRAM-MD5 or plain-text or using DIGEST-MD5 and CRAM-MD5: the password in database must be stored in plain-text only.

On the next link you will find some scrips to help you encrypt your password in the Database: http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you want to save the password in database as DIGEST-MD5 you must read this page: http://wiki2.dovecot.org/Authentication/Mechanisms/DigestMD5

Also as you mentioned in our chat the auth_mechanisms values used in Dovecote can be used in postfix as smtpd_pw_server_security_options=plain in main.cf

Talal Al-Khalifa
  • 648
  • 5
  • 12
  • Thanks for the response Talal, i have notice that i had a commented part explaining the Outlook issue in master.cf. I am not using smtps in this config, and when you say filtering section which part are you refering? Here you have my master.cf to be more easy: http://pastebin.com/6VdCM96S – marafado88 Jan 20 '17 at 09:44
  • when i say filtering I meant after this line 127.0.0.1:10025 inet n - y - - smtpd – Talal Al-Khalifa Jan 20 '17 at 10:52
  • @sipriusPT also because you are using the postscreen check the settings here http://www.postfix.org/POSTSCREEN_README.html – Talal Al-Khalifa Jan 20 '17 at 11:01
  • It seems like my server is not allowing DIGEST-MD5 and CRAM-MD5 and then it switchs to PLAIN. At localhost i can use at least CRAM-MD5 without problem. – marafado88 Jan 20 '17 at 11:10
  • Also i have added those entries and still nothing. Same output – marafado88 Jan 20 '17 at 12:54
  • @sipriusPT I will change my postfix settings and see if i get the same error – Talal Al-Khalifa Jan 20 '17 at 15:41
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/52159/discussion-between-talal-s-alkhalifa-and-sipriuspt). – Talal Al-Khalifa Jan 20 '17 at 20:54