The newest version of qpsmtpd, qpsmtpd-0.84-15.el6.sme.noarch, unfortunately still includes a bug I've described earlier (
http://bugs.contribs.org/show_bug.cgi?id=8525).
The bug shows up when someone tries to login to qpsmtpd with a user name that includes x00 (null) characters. The attempt fails as it should, but the message in /var/log/qpsmtpd/current doesn't show the IP address of the login attempt. This makes it impossible for fail2ban to ban this IP address, and the login attempts can go on and on. With literally tens of attempts each second, tens of thousands or more attempts in total, this puts a noticeable load on the server and fills up the log-files.
I've also suggested a patch for the bug, but as this patch is not included in the current version of qpsmtpd, you will have to apply it yourself. Use your favorite editor to open the file /usr/share/qpsmtpd/plugins/auth/auth_cvm_unix_local. Around line 83 you'll find these lines of code:
my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) =
@_;
Right after the above lines, simply add the following lines
if ($user =~ /\x00/) {
$self->log(LOGERROR, "deny: invalid username");
return (DENY, "authcvm, invalid username");
};
This makes qpsmtpd log the attempts properly, and fail2ban will be able to block the IP-address in question. After the patch, restart qpsmtpd and sqpsmtpd.
$ sv restart qpsmtpd
$sv restart sqpsmtpd
1 Replies
7159 Views