Articles in this section

See more

Constant 'failed mail authenticatication' entries are logged in mail log in Plesk server

Avatar
Renan Poss Moreira
Updated
Plesk for Windows Plesk for Linux kb: technical ABT: Group B

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

The following record appears every second in /var/log/maillog file:

CONFIG_TEXT: plesk_saslauthd[5222]: failed mail authenticatication attempt for user 'jdoe@example.com' (password len=7)plesk_saslauthd[5222]: failed mail authenticatication attempt for user 'jdoe@example.com' (password len=8)postfix/smtpd[14640]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure

Cause

The server is under brute force attack.

Resolution

Install software which protects the server from the Brute Force Attacks:

Linux

  1. Install Fail2Ban according to the article How to install fail2ban on Plesk for Linux.

  2. Log into Plesk;

  3. Go to Tools & Settings > IP Address Banning (Fail2Ban);

  4. Mark the Enable intrusion detection checkbox and specify the following settings:

    • IP address ban period – the time interval in seconds for which an IP address is banned. When this period is over, the IP address is automatically unbanned.

    • Time interval for detection of subsequent attacks - the time interval in seconds during which the system counts the number of unsuccessful login attempts and other unwanted actions from an IP address.

    • Number of failures before the IP address is banned – the number of failed login attempts from the IP address.

  5. Activate Fail2Ban service by clicking the Apply button.

  6. Go to Jails tab.

  7. Mark plesk-dovecot, plesk-horde, plesk-roundcube, plesk-postfix and recidive jails and press the Switch On button to turn the selected jails on.

Windows

To prevent brute force attack, install a tool like Fail2ban, once Fail2ban is only available to Linux systems, for example, ts_block.

In order to verify whether or not the server is vulnerable to this threat, check the following article:

How to test if a server is secured from abuse (Open Relay Test)

Additionally, to limit brute force attempts, configure MailEnable to block abuser IP:

  1. Connect to the server via RDP;

  2. Go to Windows > MailEnableAdmin > Connection dropping > Server > Services and Connector > right-click on SMTP > Properties > Security tab:

    7.png

Additional Information

Comments

2 comments

Sort by Date Votes
  • Avatar
    Gravu Trad

    Not enough to protect

    0
  • Avatar
    Gjimi

    Lately postfix/smtpd is no longer visible, but only plesk_saslauthd 

    without an IP address, so Fail2Ban cannot block, is there a solution here?

    0

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles