Join Log in
Score:1
avatar Server

How to prevent sasl_username root from loggin in?

bo flag
user102362

My Postfix server keeps getting used by spammers. Here is the output of sudo postcat -vq for the last spam message caught:

└──> sudo postcat -vq 3513818A8A
postcat: name_mask: all
postcat: inet_addr_local: configured 2 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS deferred/3/3513818A8A ***
message_size:            8412             720               1               0            8412
message_arrival_time: Thu Aug 19 13:35:50 2021
create_time: Thu Aug 19 13:35:50 2021
named_attribute: log_ident=3513818A8A
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root
sender: [email protected]
named_attribute: log_client_name=unknown
named_attribute: log_client_address=93.122.252.4
named_attribute: log_client_port=16374
named_attribute: log_message_origin=unknown[93.122.252.4]
named_attribute: log_helo_name=109-166-129-221.orangero.net
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=93.122.252.4
named_attribute: client_port=16374
named_attribute: helo_name=109-166-129-221.orangero.net
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]

Based on these two lines:

named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=root

I believe the spammer is successfully logging as root and then sending their spam messages out of my server. And that's confirmed by running sudo cat /var/log/maillog | grep sasl_username=root which shows lot's of entries like:

Aug 19 17:13:15 mail postfix/smtpd[11442]: EA58D18CCD: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:17 mail postfix/smtpd[11442]: BDA4E18D32: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:19 mail postfix/smtpd[11442]: 7387E18D31: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:21 mail postfix/smtpd[11442]: 1C0FB18D34: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:22 mail postfix/smtpd[11442]: DCB4418D36: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:24 mail postfix/smtpd[11442]: B62DD18D39: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:26 mail postfix/smtpd[11442]: 6F52B18D38: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:28 mail postfix/smtpd[11442]: 24DEF18D3A: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:29 mail postfix/smtpd[11442]: A30B418D3C: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:31 mail postfix/smtpd[11442]: 88D8318D3B: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root
Aug 19 17:13:33 mail postfix/smtpd[11442]: 11F6118D44: client=unknown[93.122.252.4], sasl_method=LOGIN, sasl_username=root

I have Dovecot running on the server besides Postfix, so checking the /etc/dovecot/conf.d/10-mail.conf files shows:

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
first_valid_uid = 1000
#last_valid_uid = 0

So I'm now lost how exactly the spammer is managing to authenticate as root. Goes without saying the root user is disabled on the system.

Any suggestions how to completely prevent sasl_username root from logging into the system?

240
1 + 2
anx avatar
fr flag
anx
I suspect you are not using Dovecot to validate sasl logins. The output of the command `postconf smtpd_sasl_type` will tell. I also doubt that you have a good reason to accept authenticated submissions on port 25 (the line starting `smtp inet`), so review your master.cf and ensure that `-o smtpd_sasl_auth_enable=yes` only appears attached to services meant for submission (the line starting `smtps inet` and optionally `submission inet`).
0
Reply
bo flag
user102362
You were right: running `postconf smtpd_sasl_type` has pointed to `cyrus`. But then searching for `cyrus` on the system shows some entries in `selinux` (which is disabled) and some in `/usr/share/doc/`, so no any configuration files.
1
Reply
Score:1
anx avatar Server
fr flag
anx

Without knowing who setup that system that way and why, I cannot give specific recommendation. But I can say that the overwhelming majority of servers where Dovecot handles IMAP authentication are well served by letting Dovecot also handle SMTP authentication, and that is how your Dovecot configuration first_valid_uid would become effective for mail submission as well.

Read the relevant documentation and then consider configuring your Postfix to defer authentication to Dovecot, typically these lines in main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Additionally, consider setting smtpd_sasl_auth_enable = no in main.cf and removing the first smtpd_sasl_auth_enable=yes up in your master.cf. Authentication is typically only desirable for services meant for submission (the line starting smtps inet and optionally submission inet), so it should be enabled only for one or two such services via master.cf. This would break clients that use port 25 to submit authenticated mail - but such clients configuration probably need review anyway if you are changing onfiguration.

0 + 3
anx avatar
fr flag
anx
Once *new* submission are properly restricted, you still have to deal with previously submitted and still queued mail, for that you likely want to use [postsuper](https://serverfault.com/search?q=postsuper).
0
Reply
bo flag
user102362
The system came set in that way together with Webmin/Virtualmin. Setting `smtpd_sasl_auth_enable=` to `no` in line that starts with `smtp` in master.cf file seems to have stopped all undesired sasl auth attempts, at the same time giving legitimate users to continue to use their mail clients. Thanks a lot!
0
Reply
anx avatar
fr flag
anx
@user102362 Just to be super clear here: Disabling the authentication features on one particular port where it is unnecessary may stop one particular bot abusing your misconfigured authentication setup - *but you still must fix* your authentication configuration, as your server could still be abused that way on the other ports used by legitimate user!
0
Reply
Score:1
avatar Server
ec flag
Jarris

Lately I have had exactly the same on my uptodate Ubuntu box. I am sure I had smtpd_sasl_type = dovecot and smtpd_sasl_path = private/auth set.

I have the same question as user102362 has: when I read this in my config:

# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.

I assume that its not possible to authenticate as root. But then, WHY is this possible:

Jan 19 21:16:46 VPS postfix/smtpd[9392]: EF1B6BD5B8: client=unknown[213.233.y.x], sasl_method=LOGIN, sasl_username=root

and resulted in sending lots of unsolicited mail?

Coincidence or not, the (successful) SASL authentications came from the same country and operator, so I decided to block the following blocks completely:

93.122.128.0/17
213.233.88.0/24
46.97.176.0/21
178.138.64.0/18
109.166.128.0/17

And I changed the root (and other accounts) password.

0 + 0
Score:0
J Kang avatar Server
rw flag
J Kang

Actually, first_valid_uid only affects Dovecot's userdb lookup in passwd database and does not impact the passdb lookup. After delving into the source files, it becomes clear that the validity check takes place in the passwd_iterate_want_pw function located in the file core/src/auth/userdb-passwd.c:

static bool passwd_iterate_want_pw(struct passwd *pw, const struct auth_settings *set) {
    /* Skip entries not in the valid UID range.
       They're users for daemons and such. */
    if (pw->pw_uid < (uid_t)set->first_valid_uid)
        return FALSE;
    if (pw->pw_uid > (uid_t)set->last_valid_uid && set->last_valid_uid != 0)
        return FALSE;
    if (pw->pw_gid < (gid_t)set->first_valid_gid)
        return FALSE;
    if (pw->pw_gid > (gid_t)set->last_valid_gid && set->last_valid_gid != 0)
        return FALSE;
    return TRUE;
}

If the function returns FALSE, the userdb lookup will skip that user, resulting in an error stating that the user is not found.

However, during the passdb lookup, a separate database is used to verify the username and password. Taking the default driver pam as an example, its configuration file is located at /etc/pam.d/dovecot, and lookup is performed in /etc/shadow. The passdb lookup does not involve checking the validity of the username with the passwd database for userdb.

When the auth_debug = yes setting is enabled in Dovecot's configuration file, here is an example of logs generated during an smtpd authentication:

1111-11-11T11:11:41.122920+00:00 myserver dovecot: auth: Debug: client in: AUTH#0114#011plain#011service=smtp#011nologin#011lip=127.0.0.1#011rip=127.0.0.1.87#011secured
1111-11-11T11:11:41.123831+00:00 myserver dovecot: auth: Debug: client passdb out: CONT#0114#011
1111-11-11T11:11:43.185585+00:00 myserver dovecot: auth: Debug: client in: CONT<hidden>
1111-11-11T11:11:43.185703+00:00 myserver dovecot: auth: Debug: pam(root,127.0.0.1.87): Performing passdb lookup
1111-11-11T11:11:43.194570+00:00 myserver dovecot: auth-worker(37592): Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
1111-11-11T11:11:43.195187+00:00 myserver dovecot: auth-worker(37592): Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
1111-11-11T11:11:43.195807+00:00 myserver dovecot: auth-worker(37592): Debug: conn unix:auth-worker (pid=37547,uid=107): Server accepted connection (fd=13)
1111-11-11T11:11:43.196014+00:00 myserver dovecot: auth-worker(37592): Debug: conn unix:auth-worker (pid=37547,uid=107): Sending version handshake
1111-11-11T11:11:43.196326+00:00 myserver dovecot: auth-worker(37592): Debug: conn unix:auth-worker (pid=37547,uid=107): auth-worker<1>: Handling PASSV request
1111-11-11T11:11:43.196575+00:00 myserver dovecot: auth-worker(37592): Debug: conn unix:auth-worker (pid=37547,uid=107): auth-worker<1>: pam(root,127.0.0.1.87): Performing passdb lookup
1111-11-11T11:11:43.196757+00:00 myserver dovecot: auth-worker(37592): Debug: conn unix:auth-worker (pid=37547,uid=107): auth-worker<1>: pam(root,127.0.0.1.87): lookup service=dovecot
1111-11-11T11:11:43.199784+00:00 myserver dovecot: auth-worker(37592): Debug: conn unix:auth-worker (pid=37547,uid=107): auth-worker<1>: pam(root,127.0.0.1.87): #1/1 style=1 msg=Password: 
1111-11-11T11:11:45.306854+00:00 myserver dovecot: auth: Debug: pam(root,127.0.0.1.87): Finished passdb lookup

As you can see, only the pam module is called throughout the process, and there is no module to determine the validity of the user like the passwd module. Consequently, the root user can pass the SMTPD authentication as long as the password is correct and can send emails without any issues, although they won't be able to receive emails.

Considering the security vulnerabilities that enabling password login for the root user brings, it is advisable to run the command passwd -l root to disable the password for root. This command sets an impossible value for the root user's password in the /etc/shadow file. Consequently, no matter what password is attempted for root in SASL, the pam module will return an error Authentication failure (Password mismatch?), thus preventing root from logging in via SASL.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.