dovecot auth using 100% CPU

Steinar Bang sb at dod.no
Fri Jul 3 12:28:41 UTC 2015


>>>>> Edward Betts <edward at 4angle.com>:

> Jorge Bastos <mysql.jorge at decimal.pt> wrote:
>> What do you see in the logs?
>> My guess is that someone is trying a brute force auth against you,

> Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP
> authentication. The exim4 logs show brute force attacks.

A little late response, but since you're using debian you could try
pulling in fail2ban:
 apt-get install fail2ban

fail2ban scans the logs of various services for attacks and firewalls
out the attacking IP addresses.

There are no built-in rules for exim or dovecot in the debian fail2ban
package, but there is something here that could possibly be adapted...?
 http://wiki2.dovecot.org/HowTo/Fail2Ban

Here's a filter for exim:
 https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/exim.conf



More information about the dovecot mailing list