On 04/01/2026 23:29, Bryan Simmons via dovecot wrote:
Log contains several messages from dovecot that are not clear to me exactly what is occurring, single example below. These appear to be login attempts for the same group of non existent user ids from various rip addresses. Am I interpreting these correctly and, if so, is there any issue with just ignoring them?
dovecot: pop3-login: Disconnected: Connection closed (auth failed, 1 attempts in 0 secs): user=<non-existent-user@example.net>, rip=0.0.0.0
Thank you, Bryan
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Bryan
yes these are authentication failures. In general these are going to be compromised servers/devices where the purpose could be to try to steal login credentials by password guessing, potentially then to use them for smtp authentication to send out spam emails.
To be extremely pragmatic as long as it is for non existent users, they are never going to succeed in logging in whatever password is used. The issue would be if they are also for existent users, since leaving these compromised servers/devices hammering away, they may eventually guess a right password, depending on how strong your password policies are.
Attacks against pop3, imap and managesieve are fewer than against smtp auth, but they do still happen.
Fail2ban may be useful in blocking the ip addresses, though the attackers will just change ip address, and you'll end up with quite a number of ip blocks. But that is preferable to leaving them try over and over again with the risk they will eventually succeed.
Personally I find it helpful to use the Spamhaus XBL and never accept connection attempts from compromised ips. However as others have pointed out, this is not the generally recommended approach. It happens to work for me since I am not expecting users to have ips in XBL and it gets rid of most of the malintentioned connections.
John