Since we opened some of our servers to accept incoming mail we have noticed that we get a lot of AUTH attacks.
This results in messages like the following in our maillog
May 6 08:41:18 asa3 sendmail[20544]: o468f4FG020544: [189.3.123.235]: possible SMTP attack: command=AUTH, count=4
I've not found a way of simply telling sendmail to block an ip for a period when it detects more than 'n' AUTH failures.
As we don't use AUTH on the external interface as we just accept incoming email for a limited number of accounts I decided to disable AUTH on the external interface.
I edit /etc/mail/sendmail.mc and modified the Daemon Port settings as follows:-
Original
========
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
Amended
=======
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=x.x.x.x, Name=MTB, M=A')dnl
As you can see I simply updated MTA for the loopback address and created a new MTB which tells sendmail to listen on the external IP (x.x.x.x) but disables AUTH by specifying the M=A option.
Once thats done, I simply ran make and restarted sendmail.
Everything works as before except the AUTH command is now rejected by sendmail on the external interface as can be seen below.
# telnet x.x.x.x 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x ESMTP Sendmail 8.13.8/8.13.8; Thu, 6 May 2010 09:56:49 GMT
helo yyyyy
250 x.x.x.x Hello yyyyy, pleased to meet you
AUTH PLAIN AGptczFAam1zMS5uZXQAbm90Lm15LnJlYWwucGFzc3dvcmQ=
503 5.3.3 AUTH not available
Thursday 6 May 2010
Subscribe to:
Posts (Atom)