23 Jun
2017
23 Jun
'17
9:38 p.m.
While auditing my logs after an account was compromised, I see a number of entries like:
Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials
I'm trying to figure out where this login attempt is coming from. I do run ASSP (an SMTP proxy) on this server, as well as Postfix - but I wouldn't think there'd be any communication with Dovecot for those?
Postfix does use Dovecot SASL - but I see separate log entries for Postfix authentication failures.
There are of course plenty of external IP's listed in Dovecot logs - I'm just asking for possible causes for the localhost entries.
-- Daniel