localhost logins

Daniel Miller dmiller at amfes.com
Tue Jun 27 22:06:49 EEST 2017


On 6/27/2017 1:33 AM, Daniel Miller wrote:
> On 6/27/2017 12:42 AM, Fabian Schmidt wrote:
>>
>> Am 26.06.17 schrieb Daniel Miller:
>>
>>> On 2017-06-23 15:09, Marcus Rueckert wrote:
>>>> On Fri, 23 Jun 2017 11:38:28 -0700
>>>> Daniel Miller <dmiller at amfes.com> wrote:
>>>>
>>>>> While auditing my logs after an account was compromised, I see a
>>>>> number of entries like:
>>>>>
>>>>> Jun 23 11:32:18 bubba dovecot: auth:
>>>>> ldap("one-of-my-accounts",127.0.0.1): invalid credentials
>>>>
>>>> webmail?
>>
>> Nagios or someone else monitoring dovecot?
>>
> Not running such - and they wouldn't be hitting multiple accounts.
>
Now I'm more confused.  I changed Dovecot to listen only on a specific 
IP address - and I still see localhost log lines:

Jun 27 12:03:27 bubba dovecot: auth: 
ldap(SomeUser at MyDomain.com,127.0.0.1): invalid credentials

The only other thing I can think of - Postfix runs on this server and 
uses Dovecot SASL.  Is it possible the Dovecot auth log line is caused 
by a Postfix connection attempt?

Daniel


More information about the dovecot mailing list