Error mail.log (SASL LOGIN)

dimgr · May 24, 2024, 7:04am

Hello. Vps server for ubuntu 22.04. I have this error mail.log in CSF. Please a help…

Webmin version	2.111	Usermin version	2.010
Virtualmin version	7.10.0

May 24 09:57:11 cp postfix/smtpd[2433]: disconnect from unknown[194.169.175.20] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:12 cp postfix/smtpd[2404]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:12 cp postfix/smtpd[2404]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:16 cp postfix/smtpd[1978]: connect from unknown[194.169.175.17]
May 24 09:57:23 cp postfix/smtpd[1978]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:23 cp postfix/smtpd[1978]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:24 cp postfix/smtpd[2433]: connect from unknown[194.169.175.20]
May 24 09:57:26 cp postfix/smtpd[2404]: connect from unknown[194.169.175.10]
May 24 09:57:27 cp postfix/smtpd[2433]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:27 cp postfix/smtpd[2433]: disconnect from unknown[194.169.175.20] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:30 cp postfix/smtpd[1978]: connect from unknown[194.169.175.17]
May 24 09:57:30 cp postfix/smtpd[2404]: warning: unknown[194.169.175.10]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:30 cp postfix/smtpd[2404]: disconnect from unknown[194.169.175.10] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:36 cp postfix/smtpd[1978]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:36 cp postfix/smtpd[1978]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:38 cp postfix/smtpd[2404]: connect from unknown[194.169.175.17]
May 24 09:57:41 cp postfix/smtpd[2404]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:41 cp postfix/smtpd[2404]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:45 cp postfix/smtpd[2433]: connect from unknown[194.169.175.20]
May 24 09:57:49 cp postfix/smtpd[1978]: connect from unknown[45.141.87.36]
May 24 09:57:49 cp postfix/smtpd[1978]: warning: TLS SNI from unknown[45.141.87.36] is invalid: 84.247.141.141
May 24 09:57:49 cp postfix/smtpd[2404]: connect from unknown[194.169.175.10]
May 24 09:57:49 cp postfix/smtpd[3692]: connect from unknown[194.169.175.17]
May 24 09:57:51 cp postfix/smtpd[1978]: warning: unknown[45.141.87.36]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:51 cp postfix/smtpd[1978]: lost connection after AUTH from unknown[45.141.87.36]
May 24 09:57:51 cp postfix/smtpd[1978]: disconnect from unknown[45.141.87.36] ehlo=2 starttls=1 auth=0/1 commands=3/4
May 24 09:57:51 cp postfix/smtpd[2433]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:52 cp postfix/smtpd[2433]: disconnect from unknown[194.169.175.20] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:54 cp postfix/smtpd[2404]: warning: unknown[194.169.175.10]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:55 cp postfix/smtpd[2404]: disconnect from unknown[194.169.175.10] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:57:55 cp postfix/smtpd[3692]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: authentication failure
May 24 09:57:56 cp postfix/smtpd[3692]: disconnect from unknown[194.169.175.17] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 24 09:58:01 cp postfix/smtpd[1978]: connect from unknown[194.169.175.17]
May 24 09:58:06 cp postfix/smtpd[2433]: connect from unknown[194.169.175.20]

stefan1959 · May 24, 2024, 9:42am

New post
use this

dimgr · May 24, 2024, 12:11pm

In mine everything is correct csf.conf as in the image. Is ubuntu on your server?

Can you give me your csf.conf file so I can test it?

dimgr · May 24, 2024, 12:26pm

I found the problem!! In SMTPAUTH_LOG I had /var/log/maillog! It wasn’t .log, now I’m logged in normally!

May 24 15:08:11 cp lfd[3128]: (smtpauth) Failed SMTP AUTH login from 194.169.175.17 (LT/Lithuania/-): 20 in the last 3600 secs - Blocked in csf [LF_SMTPAUTH]
May 24 15:11:16 cp lfd[3479]: (smtpauth) Failed SMTP AUTH login from 194.169.175.20 (LT/Lithuania/-): 20 in the last 3600 secs - Blocked in csf [LF_SMTPAUTH]
May 24 15:11:46 cp lfd[3555]: (smtpauth) Failed SMTP AUTH login from 194.169.175.10 (LT/Lithuania/-): 20 in the last 3600 secs - Blocked in csf [LF_SMTPAUTH]
May 24 15:14:15 cp lfd[3745]: SYSLOG CHECK Failed to detect check line [deacZ2IrBU1VpbjqZwY] sent to SYSLOG

stefan1959 · May 24, 2024, 12:27pm

Yep I install on ubuntu. I had to change the SMTPAUTH_LOG to point tho the correct log file.
Default points to /var/log/secure, you need to edit to point to /var/log/mail.log else CSF won’t block the bad SASL logins.

dimgr · May 24, 2024, 12:28pm

Can you help me with the syslog error?

stefan1959 · May 24, 2024, 12:29pm

great good work.

dimgr · May 24, 2024, 12:44pm

Another help if you can tell me.
in the CSF The SYSLOG_LOG has path /var/log/messages. I don’t have this file on the server! What should I do?

stefan1959 · May 24, 2024, 12:54pm

I would think syslog , I really not a ubuntu person, but it look like a syslog

dimgr · May 24, 2024, 1:06pm

You did not understand! The file /var/log/messages as well as other .log files on my server is not active! Should I make everything active?

dimgr · May 24, 2024, 1:36pm

The problem with sasl login it still comes out…

May 24 16:34:50 cp postfix/smtpd[1955]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: authentication failure

Τhe lf_smtpauth ok

May 24 16:33:28 cp lfd[4619]: (smtpauth) Failed SMTP AUTH login from 194.169.175.17 (LT/Lithuania/-): 20 in the last 3600 secs - Blocked in csf [LF_SMTPAUTH]

dimgr · May 24, 2024, 4:17pm

I restarted the server and now I have no errors, only syslog. Thanks for the help.

Joe · May 24, 2024, 5:50pm

Jebus, no. You probably shouldn’t even be using syslog.

africabloe · May 25, 2024, 2:45am

/var/log/syslog OR /var/log/messages:
Shows general messages and info regarding the system. Basically a data log of all activity throughout the global system. Know that everything that happens on Redhat-based systems, like CentOS or Rhel, will go in messages. Whereas for Ubuntu and other Debian systems, they go in /var/log/syslog.

/var/log/auth.log OR/var/log/secure:
Keep authentication logs for both successful or failed logins, and authentication processes. Storage depends on system type. For Debian/Ubuntu, look in /var/log/auth.log. For Redhat/CentOS, go to /var/log/secure.

What settings have I applied on my Ubuntu 22.04 with CSFirewall ?

On /etc/csf/csf.conf
Replace all:

/var/log/messages ➙ /var/log/syslog
/var/log/secure ➙ /var/log/auth.log

Restart CSF and LFD:

csf -r
systemctl restart lfd

On /etc/rsyslog.d/50-default.conf
Add:

*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/syslog

Restart:

sudo systemctl restart rsyslog

I think everything is fine that way.
If I am wrong please reply

stefan1959 · May 25, 2024, 7:32am

I found SMTPAUTH_LOG should be /var/log/mail.log
I tested with auth.log but it did pick up any failures.
I think the failures in there are in the wrong format for CSF

stefan1959 · May 25, 2024, 7:43am

/var/log/messages
don’t use it if its not yes.

dimgr · May 25, 2024, 7:05pm

Can you tell me why you added this code? Do I need to do it too?

On /etc/rsyslog.d/50-default.conf
Add:

*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/syslog

stefan1959 · May 25, 2024, 10:24pm

I wouldn’t change anything if it working, don’t fix things that are not broke.

If you do you will need to update CSF to /var/log/syslog as per screenshot

africabloe · May 25, 2024, 11:51pm

Because I didn’t have the /var/log/messages file and CSF would sometimes show me the message “SYSLOG Check Failed”
I searched on Internet and I saw dozens of people who had the same problem.
One of the solutions was on my Ubuntu system to add this code without create the /var/log/messages file and change all the:
/var/log/messages ➙ /var/log/syslog
/var/log/secure ➙ /var/log/auth.log
So I did that and I think that CSF is working OK on my system. But I keep have the email from CSF that “SYSLOG Check Failed”.
Another solution was to create these files and do not change anything on CSF. But I tried and nothing better happened.
But, both ways CSF works amazingly on my server.
I would suggest you not to make radical changes and if you don’t have the messages file and the secure file, then just change the CSF settings, as I have done on my previous post on CSF settings, or create the message and secure files with the following commands:
touch /var/log/messages
touch /var/log/secure
In the end I am not an expert. I am a simple user and every server have different requirements

Now I have changed some settings as per suggestion of stefan1959 and CSF keep working exactly excellent as before.

shoulders · May 26, 2024, 8:09am

Does the OP have rsyslog installed and running?

systemctl --type=service --state=running | grep rsyslog

or

systemctl status rsyslog

Recently Ubuntu might remove rsyslog from the default minimal server installed. this affects what log files are available.

NB: I am not recommending installing it, just check and see if this is the issue why you do not see some log files.