Automated attacks against Postfix

Yesterday evening I discovered thousands of lines like these in my server’s mail logfile:

Jun 12 08:58:37 colwyn postfix/smtpd[25605]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDM3MjM3NzE1Mzk1NjU1MDEuMTMwNzg2NTUxNUBjb2x3eW4uemhhZHVtLm9yZy51az4=
Jun 12 08:58:44 colwyn postfix/smtpd[25605]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDU0MDA0NDczMjgzNjU2NDAuMTMwNzg2NTUyMkBjb2x3eW4uemhhZHVtLm9yZy51az4=
[...]
Jun 12 23:00:15 colwyn postfix/smtpd[12864]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDQ2NjM4MzI0NTAyNTQ2ODIuMTMwNzkxNjAxM0Bjb2x3eW4uemhhZHVtLm9yZy51az4=
Jun 12 23:00:26 colwyn postfix/smtpd[12864]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDMxMTA4OTY1MjgzOTM0OTkuMTMwNzkxNjAyNEBjb2x3eW4uemhhZHVtLm9yZy51az4=

It looks like somebody has written a program which tries to exploit a security vulnerability in Postfix’s Cyrus SASL component.

Fortunately NetBSD isn’t affected as the bundled Postfix binaries don’t include Cyrus SASL support. But if you are using Postfix 2.8.2 or older from pkgsrc with the sasl option enabled you should update to Postfix 2.8.3 or newer as soon as possible.