Hi
I have a script that checks the logs each day and mails me invalid user attempts and authentication failures for the previous day. (I use fail2ban to ban multiple attempts in a short space of time).
For some reason, this appears every day:
Oct 11 06:25:12 mail dovecot: auth-worker(default): sql(simon@mydomain.net,127.0.0.1): Password mismatch Oct 11 06:25:19 mail dovecot: auth-worker(default): sql(simon@mydomain.net,127.0.0.1): Password mismatch Oct 11 06:25:31 mail dovecot: auth-worker(default): sql(simon@mydomain.net,127.0.0.1): Password mismatch Oct 11 06:25:48 mail dovecot: auth-worker(default): sql(simon@mydomain.net,127.0.0.1): Password mismatch Oct 11 06:26:10 mail dovecot: imap-login: Aborted login (auth failed, 4 attempts): user=<simon@mydomain.net>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Of all the accounts on the box, it's only mine that throws this up. Since its LIP is localhost, it could really only be for webmail - but I don't always leave the webmail open, so I'm curious to know how this gets there and what it is.
Any suggestions? I find it difficult to believe I have an IMAP process in a script somewhere (especially with my user account - the postmaster account, I could believe, but not with my personal one)..
The log time is UTC, so watching the process list at 2.24 is less than appealing!
Simon