W dniu 15.04.2011 10:57, tyli pisze:
Dear list users
While trying to secure our dovecot server with fail2ban I came across the following problem: We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login attempts are logged with our firewall as the remote ip.
Example: Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6 attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
Funny thing is that POP3 login attempts are logged correctly: Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55, lip=192.168.0.3
Hi! Do simple check, try run tcpdump port imap and check if rempte address ip is local or is it remote? Reagrds, Marcin