Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x
This looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me. I have no such user named ttejmgpfip exits ofc. I've check what dovecot writes to log if try PLAIN login method with random login/password, and it's "Aborted login". As I'm using SQL backend for user/pass database, I'm afraid that I might have something misconfigured and a possible sql-injection or something else allowed attacker to "login" with random password. Or my worries are groundless and I can get such message in some case of unsuccessful login? Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done:
default_pass_scheme = MD5 password_query = SELECT password FROM mailbox WHERE active = '1' AND (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u') user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, domain FROM mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u'
I have such query so it is possible for a user to login either as user@domain or just as user (I have single domain).