Tag: configserver

CSF/LFD Sasl Auth Failure

My Daily Logwatch reports a large amount of SMTP Authentication errors like the following:

--------------------- sasl auth daemon Begin ------------------------

 **Unmatched Entries** 

:auth failure: [user=smr@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error] 
: auth failure: [user=megaplan@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error] 
: auth failure: [user=pdf@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error] 
: auth failure: [user=development@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error]

This can cause a large amount of lines reported on the email report.

To counter this, here are the steps on an Ubuntu system.

1.Edit /etc/csf/csf.conf to find CUSTOM1_LOG and edit the content to:

CUSTOM1_LOG= "/var/log/mail.log"

2. Add the regex to catch the failed attempts against SASL by adding the following regular expression in /usr/local/csf/bin/regex.custom.pm:

 if (($lgfile eq $config{
CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");
 }

3. restart CSF and LFD:

#csf -r
#service lfd restart
#systemctl restart lfd

After that, be prepared to get a lot of emails about the blocked IPs for the set time (default is 3600 seconds or 1 hour). They eventually taper out with the most offending IP’s getting permanently blocked 🙂

Virtualmin Virtual Servers (GPL)

Following my last post I now found out that Webmin does not allow multi virtual servers :-(, BUT there is a module called Virtualmin Virtual Servers (GPL) which is what I need.

To save myself hassle, I installed a compatible OS (CentOS 6 64bit) and simply installed virtualmin from the install.sh command after downloading it:

cd /root
wget http://software.virtualmin.com/gpl/scripts/install.sh
sh ./install.sh

After this my next  move was to install csf lfd from configserver.com:
(there is now a new URI for the archive which I changed on 2017-02-08)

wget http://www.configserver.com/free/csf.tgz
wget https://download.configserver.com/csf.tgz
tar zxvf csf.tgz
cd csf
sh ./install.sh

Once installed integrate it in Webmin and you’re good to go.

– Install the csf webmin module in:
Webmin > Webmin Configuration > Webmin Modules > From local file > /etc/csf/csfwebmin.tgz > Install Module

Email access problems

All worked well from the word go except SMTP/POP3 (Dovecot) server; I was getting Failed to connect to localhost:143 : Connection refused  (as well as port 993,995,110 and 25) when trying to connect either via my email client or usermin.

System Information was reporting that Dovecot IMAP / POP3 Server was offline, and trying to start Dovecot failed:

Starting dovecot: Error: socket() failed: Address family not supported by protocol
Error: service(pop3-login): listen(::, 110) failed: Address family not supported by protocol
Error: socket() failed: Address family not supported by protocol
Error: service(pop3-login): listen(::, 995) failed: Address family not supported by protocol
Error: socket() failed: Address family not supported by protocol
Error: service(imap-login): listen(::, 143) failed: Address family not supported by protocol
Error: socket() failed: Address family not supported by protocol
Error: service(imap-login): listen(::, 993) failed: Address family not supported by protocol
Fatal: Failed to start listeners

After editing the /etc/dovecot/dovecot.conf file and commenting out/insert: listen = *  Here is how my edited file looks like:

# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
listen = *

Now, why would Dovecot server come with this line disabled is baffling, anyway, after this, Dovecot starts fine allowing usermin and email clients to connect without problems:

dovecot