Re: [Dovecot] Auth Worker failures

2011-11-04 Thread Timo Sirainen 
On Thu, 2011-10-20 at 16:24 -0400, Simon Brereton wrote:
> Oct 20 06:25:14 mail dovecot: auth-worker(default):
> sql(si...@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'

CRYPT() means that it attempted to log in with an empty password.

> I'm still sure this is the webmail trying to log in though..

Yeah, could be. But why it tries it with an empty password, I've no
idea.

Re: [Dovecot] Auth Worker failures

2011-10-20 Thread Simon Brereton 
On 18 October 2011 10:37, Timo Sirainen  wrote:
> On Wed, 2011-10-12 at 10:24 -0400, Simon Brereton wrote:
>>
>>
>> Of all the accounts on the box, it's only mine that throws this up.
>> Since its LIP is localhost, it could really only be for webmail - but
>> I don't always leave the webmail open, so I'm curious to know how this
>> gets there and what it is.
>>
>> Any suggestions?  I find it difficult to believe I have an IMAP
>> process in a script somewhere (especially with my user account - the
>> postmaster account, I could believe, but not with my personal one)..
>>
> You could enable auth_debug_passwords=yes and see what password it
> tries.

The first day I did this, I forgot to restart dovecot.  Doh.  This
morning I had:



Oct 20 06:25:14 mail dovecot: auth(default): client in:
AUTH#0112#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50683#011resp=--alsoremoved--==
Oct 20 06:25:14 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='si...@example.net' AND active = '1';
Oct 20 06:25:14 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): Password mismatch
Oct 20 06:25:14 mail dovecot: auth-worker(default):
md5_verify(si...@example.net): Not a valid MD5-CRYPT or PLAIN-MD5
password
Oct 20 06:25:14 mail dovecot: auth-worker(default):
smd5_verify(si...@example.net): SMD5 password too short
Oct 20 06:25:14 mail dovecot: auth-worker(default):
ssha_verify(si...@example.net): SSHA password too short
Oct 20 06:25:14 mail dovecot: auth-worker(default):
ssha256_verify(si...@example.net): SSHA256 password too short
Oct 20 06:25:14 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:14 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:14 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'
Oct 20 06:25:16 mail dovecot: auth(default): client out:
FAIL#0112#011user=si...@example.net
Oct 20 06:25:26 mail dovecot: auth(default): client in:
AUTH#0113#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50683#011resp=--truncated--
Oct 20 06:25:26 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='si...@example.net' AND active = '1';
Oct 20 06:25:26 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): Password mismatch
Oct 20 06:25:26 mail dovecot: auth-worker(default):
md5_verify(si...@example.net): Not a valid MD5-CRYPT or PLAIN-MD5
password
Oct 20 06:25:26 mail dovecot: auth-worker(default):
smd5_verify(si...@example.net): SMD5 password too short
Oct 20 06:25:26 mail dovecot: auth-worker(default):
ssha_verify(si...@example.net): SSHA password too short
Oct 20 06:25:26 mail dovecot: auth-worker(default):
ssha256_verify(si...@example.net): SSHA256 password too short
Oct 20 06:25:26 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:26 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:26 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'
Oct 20 06:25:28 mail dovecot: auth(default): client out:
FAIL#0113#011user=si...@example.net
Oct 20 06:25:43 mail dovecot: auth(default): client in:
AUTH#0114#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50683#011resp=--alsoremoved--==
Oct 20 06:25:43 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='si...@example.net' AND active = '1';
Oct 20 06:25:43 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): Password mismatch
Oct 20 06:25:43 mail dovecot: auth-worker(default):
md5_verify(si...@example.net): Not a valid MD5-CRYPT or PLAIN-MD5
password
Oct 20 06:25:43 mail dovecot: auth-worker(default):
smd5_verify(si...@example.net): SMD5 password too short
Oct 20 06:25:43 mail dovecot: auth-worker(default):
ssha_verify(si...@example.net): SSHA password too short
Oct 20 06:25:43 mail dovecot: auth-worker(default):
ssha256_verify(si...@example.net): SSHA256 password too short
Oct 20 06:25:43 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:43 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:43 mail dovecot: auth-worker(default):
sql(si...@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'
Oct 20 06:25:45 mail dovecot: auth(default): client out:
FAIL#0114#011user=si..

Re: [Dovecot] Auth Worker failures

2011-10-18 Thread Timo Sirainen 
On Wed, 2011-10-12 at 10:24 -0400, Simon Brereton wrote:
> 
> 
> Of all the accounts on the box, it's only mine that throws this up.
> Since its LIP is localhost, it could really only be for webmail - but
> I don't always leave the webmail open, so I'm curious to know how this
> gets there and what it is.   
> 
> Any suggestions?  I find it difficult to believe I have an IMAP
> process in a script somewhere (especially with my user account - the
> postmaster account, I could believe, but not with my personal one)..
> 
You could enable auth_debug_passwords=yes and see what password it
tries.

[Dovecot] Auth Worker failures

2011-10-12 Thread Simon Brereton 
Hi

I have a script that checks the logs each day and mails me invalid user 
attempts and authentication failures for the previous day.  (I use fail2ban to 
ban multiple attempts in a short space of time).

For some reason, this appears every day:

Oct 11 06:25:12 mail dovecot: auth-worker(default): 
sql(si...@mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:25:19 mail dovecot: auth-worker(default): 
sql(si...@mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:25:31 mail dovecot: auth-worker(default): 
sql(si...@mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:25:48 mail dovecot: auth-worker(default): 
sql(si...@mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:26:10 mail dovecot: imap-login: Aborted login (auth failed, 4 
attempts): user=, method=PLAIN, rip=127.0.0.1, 
lip=127.0.0.1, secured

Of all the accounts on the box, it's only mine that throws this up.  Since its 
LIP is localhost, it could really only be for webmail - but I don't always 
leave the webmail open, so I'm curious to know how this gets there and what it 
is.   

Any suggestions?  I find it difficult to believe I have an IMAP process in a 
script somewhere (especially with my user account - the postmaster account, I 
could believe, but not with my personal one)..

The log time is UTC, so watching the process list at 2.24 is less than 
appealing!

Simon