localhost logins

[Daniel Miller]

While auditing my logs after an account was compromised, I see a number 
of entries like:

Jun 23 11:32:18 bubba dovecot: auth: 
ldap("one-of-my-accounts",127.0.0.1): invalid credentials

I'm trying to figure out where this login attempt is coming from.  I do 
run ASSP (an SMTP proxy) on this server, as well as Postfix - but I 
wouldn't think there'd be any communication with Dovecot for those?

Postfix does use Dovecot SASL - but I see separate log entries for 
Postfix authentication failures.

There are of course plenty of external IP's listed in Dovecot logs - I'm 
just asking for possible causes for the localhost entries.

-- 
Daniel