On 07/14/2013 03:26 AM, Paul van der Vlis wrote: > Hello, > > Dovecot is logging authentication failures this way: > ------ > Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22 > attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152, > lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY> > ------
Is there a reason why you are allowing PLAIN text login (disable_plaintext_auth = no)? I do not allow plaintext login and I get messages like: Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=219.84.103.232, lip=72.52.113.38, session=<RBK6hFjhggDbVGfo> I also have service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } and for secure login failures I get messages like: Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<gpc>, method=APOP, rip=68.183.193.239, lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv> and in fail2ban I have failregex = Aborted login \(.*\): .*rip=<HOST>, Disconnected \(tried to use disabled.*\): .*rip=<HOST>, warning:.*\[<HOST>\]: SASL [^ ]+ authentication failed: I'm running Dovecot 2.2.4, but the above hasn't changed for a long time. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan