On 6.6.2012, at 2.08, Glenn English wrote:
And these brute force attempts would be logged, each one.
They are, with no rhost. And there are other brute force attempts
that *do* have IPs.
I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the
rhost. Upgrade.
On Jun 8, 2012, at 10:25 AM, Timo Sirainen wrote:
I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the
rhost. Upgrade.
Will do. What you say fits with what I see in the logs and
is a lot simpler than many other suggestions. And you do
have some credibility in this
On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:
If dovecot-auth is getting input from a local socket, then rhost
information is irrelevant since the host doing the asking is the server
itself (maybe from another daemon connected to a remote host).
Thanks for the confirmation of my
On Tue, Jun 05, 2012 at 09:38:49AM -0600, Glenn English wrote:
On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:
If dovecot-auth is getting input from a local socket, then rhost
information is irrelevant since the host doing the asking is the
server itself (maybe from another daemon connected
Glenn English wrote:
Maybe someone is brute forcing your server's Postfix authenticated
SMTP service since Postfix can be configured to use Dovecot's SASL
authentication framework.
and for the suggestion -- I do have Postfix using Dovecot-Auth checking
for SASL.
I think I'm going to
On Jun 5, 2012, at 3:53 PM, /dev/rob0 wrote:
What suspicions were confirmed?
At first I thought that somebody was TCP'ing in and somehow
turning off the remote IP in the log so I couldn't block it.
Then an answer from another mailing list, and a little thinking,
made it occur to me that
Glenn English writes:
I'm getting a lot of what I think is a local socket asking
dovecot:auth to verify username/passwords:
May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=
If dovecot-auth is getting
Debian Lenny, Dovecot v 1.0.15.
I'm getting a lot of what I think is a local socket asking
dovecot:auth to verify username/passwords:
May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=
Note the empty
I forgot to include this config info:
# 1.0.15: /etc/dovecot/dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3
ssl_listen: *
ssl_disable: yes
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login