Writing

Software, technology, sysadmin war stories, and more. Feed
Wednesday, February 15, 2012

Rotate the shield harmonics if you allow SMTP AUTH with LOGIN

Do you run a mail server which answers on port 25 and allows SMTP AUTH with "plain" or "login" over non-TLS connections? Odds are, your server is being tested over and over again by random dictionary attacking hosts. It's not just limited to ssh attempts any more. You might not even be aware of it.

Here's one way to know if something weird is up. Go look for lines in your mail log that say something like "host.name [xx.xx.xx.xx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA", assuming you're running sendmail. Sometimes, that'll just be some random port scanning connection, but when you see a bunch of them from the same host over and over, it's probably something far worse.

One simple way to reduce some of the annoyance is to just tell your MTA to not allow those methods over unencrypted connections. They'll still try the AUTH LOGIN and AUTH PLAIN since they don't seem to actually parse the list given by EHLO, but it won't actually get anywhere. Even if it hits a good combination, it won't work.

Sure, eventually they'll start pounding on the door after negotiating TLS with you, but for now, it's surprisingly simple to keep things at bay. All you have to do is keep making life interesting. Maybe ditching all LOGIN and PLAIN in favor of CRAM-MD5 will be next.