On Jun 4, 2008, at 8:54 PM, Timo Sirainen wrote:
On Wed, 2008-06-04 at 20:02 -0400, Jurvis LaSalle wrote:
Jun 4 19:12:08 khan dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=127.0.0.1 user=user123
Someone's trying to brute-force in?
sorry. i changed that from a valid username at our site to user123. nearly all of the errors are for valid accounts.
Are there any valid logins at all then?
I'm not sure I understand your question. Here's my observations: when I
$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'.
- OK Dovecot ready. 1 login validLDAPaccount XXXXX 1 OK Logged in. 2 logout
- BYE Logging out 2 OK Logout completed. Connection closed by foreign host.
I see in /var/log/secure an error like this:
Jun 5 12:37:46 khan dovecot-auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
rhost=127.0.0.1 user=validLDAPaccount
So the user was logged in, but an error was logged for some reason.
OTOH, when I log in using the dovecotadmin account, no error is
logged. I've tried changing the order of the passdb sections and
removing the dovecotadmin section entirely, but an error is always
logged for an LDAP user even though they successfully login.
Does that answer your question? Please let me know if I can provide
any additional info to figure this out. I'll work on removing PAM
from the equation as auth locked up on us again while I was writing
this even though I removed the blocking=yes from the passdb:driver:pam
section.
Thanks, JL