[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login
Dear list users
While trying to secure our dovecot server with fail2ban I came across the following problem: We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login attempts are logged with our firewall as the remote ip.
Example: Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6 attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
Funny thing is that POP3 login attempts are logged correctly: Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55, lip=192.168.0.3
Any ideas how to change this?
Thanks in advance tyli
W dniu 15.04.2011 10:57, tyli pisze:
Dear list users
While trying to secure our dovecot server with fail2ban I came across the following problem: We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login attempts are logged with our firewall as the remote ip.
Example: Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6 attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
Funny thing is that POP3 login attempts are logged correctly: Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55, lip=192.168.0.3
Hi! Do simple check, try run tcpdump port imap and check if rempte address ip is local or is it remote? Reagrds, Marcin
tyli schreef:
Dear list users
While trying to secure our dovecot server with fail2ban I came across the following problem: We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login attempts are logged with our firewall as the remote ip.
Example: Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6 attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
Funny thing is that POP3 login attempts are logged correctly: Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55, lip=192.168.0.3
Any ideas how to change this?
Thanks in advance tyli Could it be that imap is through webmail?
regards, Johan
Hi,
I am also facing the same problem. When dovecot is accessed through a web mail, the rip is logged as 127.0.0.1 (localhost).
/Aug 1 16:28:04 mailspace dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<suja>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<XllGt+DiPQB/AAAB>/
So I am also unable to configure fail2ban with dovecot. Is there a way we can log the actual remote IP ?
Thanks and regards, Suja
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Wrong-remote-IP-rip-in-mail-log-using-I... Sent from the Dovecot mailing list archive at Nabble.com.
On 8/1/2013 8:41 PM, pvsuja wrote:
Hi,
I am also facing the same problem. When dovecot is accessed through a web mail, the rip is logged as 127.0.0.1 (localhost).
/Aug 1 16:28:04 mailspace dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<suja>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<XllGt+DiPQB/AAAB>/
So I am also unable to configure fail2ban with dovecot. Is there a way we can log the actual remote IP ?
Dovecot has no way of determining the remote IP when a proxy is the system making the connection, which is what is happening. Your webmail is the proxy in this case.
Have fail2ban scan your web server logs, not the mail logs.
Dem
Hi,
Thanks for the response. I got it working with web mail logs.
Thanks again.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Wrong-remote-IP-rip-in-mail-log-using-I... Sent from the Dovecot mailing list archive at Nabble.com.
participants (5)
-
Johan Hendriks
-
Marcin Mirosław
-
Professa Dementia
-
pvsuja
-
tyli