dovecot not listening, but doing passw checks? Was: connection refused, no error anywhere

Greetings,

I just woke up and went back to try to diagnose the problem I first reported in my other thread, and noticed something weird. After your suggestions, the situation is as follow:

0. FTR, postfix is working, if I open the local mailboxes with mutt running on the server I do see email coming in as expected, from mailing lists and our correspondents

1. output of dovecot -n is below

2. both "ss -tuln | grep 993" and "netstat -tanp" show NO activity /presence on port 993

3. BUT, running "service dovecot status" (see output below, I only changed server and user name) I noticed a failed authentication attempt from SOMEUSER2, happened ~15/20 minutes before I checked, where "SOMEUSER" (without the trailing "2") is an ACTUAL user of the old server, and 200.89.159.59 an IP address I don't know (not my desktop's for sure, and AFAIK no legitimate user is trying to use the server at this time, they know I'm rebuilding it...)

Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration?

Thanks, Marco

######################################### OUTPUT of dovecot -n (actual domain name changed to example.com)

# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: nexaima auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_debug = yes mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes

######################################################

FULL OUTPUT OF "service dovecot status":

root@example:/# service dovecot status ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; preset: enabled) Active: active (running) since Tue 2025-01-21 23:41:45 UTC; 5h 24min ago Docs: man:dovecot(1) https://doc.dovecot.org/ Main PID: 35241 (dovecot) Status: "v2.3.21 (47349e2482) running" Tasks: 5 (limit: 4543) Memory: 3.6M (peak: 5.5M) CPU: 503ms CGroup: /system.slice/dovecot.service ├─35241 /usr/sbin/dovecot -F ├─35242 dovecot/anvil ├─35243 dovecot/log ├─35246 dovecot/config └─35323 dovecot/stats

Jan 22 04:49:06 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: pam(SOMEUSER2,200.89.159.59): #1/1 style=1 > Jan 22 04:49:06 example auth[37492]: pam_unix(dovecot:auth): check pass; user unknown Jan 22 04:49:06 example auth[37492]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=SOMEUSER2 rhost=200.89.159.59 Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: pam(SOMEUSER2,200.89.159.59): pam_authenticate() f> Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: pam(SOMEUSER2,200.89.159.59): Finished pass> Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: Finished: password_mismatch Jan 22 04:49:08 example dovecot[35243]: auth: Debug: pam(SOMEUSER2,200.89.159.59): Finished passdb lookup Jan 22 04:49:08 example dovecot[35243]: auth: Debug: auth(SOMEUSER2,200.89.159.59): Auth request finished Jan 22 04:49:10 example dovecot[35243]: auth: Debug: client passdb out: FAIL 2 user=SOMEUSER2 Jan 22 04:50:06 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): Disconnected: Connection closed (fd=-1) lines 1-27/27 (END)