OK, I was chasing log ghosts. What was actually going on was fail2ban was
kicking on for users and banning them for 10 min.
I have no idea what is triggering it for so many different users from legit
email addresses. Still investigating. But this appears to be a fail2ban
problem, not a dovecot problem.
On Jan 22, 2024, at 10:41 AM, Steve Dondley via dovecot
<dovecot@dovecot.org> wrote:
Based on your email I went back and took a closer took at the logs.
The client reported this happened at 11:58 of the 19th. I went back
and took a
closer look and around 11:56 I found these entries in the log.
81218 Jan 18 11:56:56 ip-172-30-0-131 dovecot: imap
(t.olixxxx)<3739040></
Z84+joPNhRsOgYu>: Connection closed (IDLE running for 0.001 + waiting
input for
1175.376 secs, 2 B in + 10 B out, state=wait-input) in=182 out=172366
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0
body_bytes=0
81219 Jan 18 11:56:56 ip-172-30-0-131 dovecot: imap
(s.damxxxx)<3739037><iQY3+joPottsOgYu>: Connection closed (IDLE
running for
0.001 + waiting input for 1174.763 secs, 2 B in + 10 B out,
state=wait-input)
in=182 out=799331 deleted=0 expunged=0 trashed=0 hdr_count=0
hdr_bytes=0
body_count=0 body_bytes=0
81220 Jan 18 11:56:59 ip-172-30-0-131 postfix/smtpd[3740240]:
warning:
hostname 179.hosted-by.198xd.com does not resolve to address
45.129.14.179:
Name or service not known
81221 Jan 18 11:56:59 ip-172-30-0-131 postfix/smtpd[3740240]:
connect from
unknown[45.129.14.179]
81222 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap
(j.pomexxxxx)<3739095><k7z3/zoPqLdsOgYu>: Connection closed (IDLE
running for
0.001 + waiting input for 1078.221 secs, 2 B in + 10 B out,
state=wait-input)
in=165 out=801497 deleted=0 expunged=0 trashed=0 hdr_count=0
hdr_bytes=0
body_count= 0 body_bytes=0
81223 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap
(a.cerxxxxx)<3739042><JCXQ+joPu5JsOgYu>: Connection closed (IDLE
running for
0.001 + waiting input for 1169.527 secs, 2 B in + 10 B out,
state=wait-input)
in=182 out=303618 deleted=0 expunged=0 trashed=0 hdr_count=0
hdr_bytes=0
body_count=0 body_bytes=0
81224 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap
(h.foxxxxx)<3739034><kpEo+joP9g5sOgYu>: Connection closed (IDLE
running for
0.001 + waiting input for 1180.675 secs, 2 B in + 10 B out,
state=wait-input)
in=194 out=1927 deleted=0 expunged=0 trashed=0 hdr_count=0
hdr_bytes=0
body_count=0 bo dy_bytes=0
81225 Jan 18 11:57:00 ip-172-30-0-131 dovecot: imap
(dxxxxxx)<3739057><xljV/
DoPPnZsOgYu>: Connection closed (IDLE running for 0.001 + waiting
input for
1135.454 secs, 2 B in + 10 B out, state=wait-input) in=182 out=458253
deleted=0
expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 bod
y_bytes=0
So these have real user names associated (have been obfuscated. I
think these
are more likely the source of the error some users have been seeing,
not the
errors I originally posted here to the mailing list.
On Jan 21, 2024, at 8:34 PM, Benny Pedersen <m...@junc.eu> wrote:
Steve Dondley via dovecot skrev den 2024-01-22 02:18:
I have a mail server using dovecot that has been running
without issue for quite a couple of years now. It serves
email for about 30 individuals.
But since Jan 14th, users have been reporting spurious
errors in MS Outlook:
324 Jan 21 00:38:17 ip-172-30-0-131 dovecot: pop3-login:
Disconnected (no auth attempts in 0 secs): user=<>,
rip=118.xxx.xxx.xxx, lip=172.30.0.131, TLS handshaking:
read(size=596) failed: Connection reset by peer,
session=<mu/JHm4Ptup2wSuN>
there is no user in the above line
Some characteristics of the problem that may offer a clue:
* happening with multiple users, not just the same one
* happens from different IP addresses.
bots detected
* happens about 3 to 5 times per day and the errors come in
batches like above
* MS Outlook error is:
why is it a microsoft problem now ?
reported error (0x80042109): ‘Outlook cannot conect to your
outgoing SMTP email server. If you continue to receive this
message….blah blah blah
disable pop3 in dovecot, problem is then gone
I googled the error code but didn’t find anything
particularly helpful.
we all use minimal tls1.2, the bots still use ssl, with username
fails
I’m running Debian bullseye, version 11.8.
irelevant info
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
