#1035525 sendmail-bin: Change log level of saslauthd failed auth attempts

Package:
sendmail-bin
Source:
sendmail-bin
Description:
powerful, efficient, and scalable Mail Transport Agent
Submitter:
E Harris
Date:
2023-05-04 19:12:07 UTC
Severity:
normal
#1035525#5
Date:
2023-05-04 18:58:15 UTC
From:
To:
It seems to be a pretty big security issue that there is no coherent reporting/logging
of failed auth login attempts when using saslauthd with sendmail.

The saslauthd log lines for failed auth attempts are similar to this:

May 04 13:32:49 somehost saslauthd[2996]:                 : auth failure: [user=mailtest] [service=smtp] [realm=somerealm] [mech=pam] [reason=PAM auth error]

But saslauthd does not report the ip address that originated the auth attempt
(probably because it doesn't know it?), and sendmail (by default) doesn't seem
to report the failed auth attempt at all.

This deficiency prevents trying to take active steps (for example using fail2ban) to
try to protect against repeated brute force auth hacking attempts.

I think that sendmail may already have the ability to report AUTH failures, but that those
are only enabled with high log levels that include lots of other log spam.

It seems to me that a failed auth login should be reported by default by sendmail,
since it both knows the IP the attempt originated from, as well as the status of the
auth attempt, and I would like to see this reporting enabled in the standard packages.

If there is a way to easily indicate that the auth attempt is for a user that doesn't
even exist, that would be even better, as that would be a pretty clear indication of a
potential hack attempt.