dovecot not listening, but doing passw checks? Was: connection refused, no error anywhere
Greetings,
I just woke up and went back to try to diagnose the problem I first reported in my other thread, and noticed something weird. After your suggestions, the situation is as follow:
FTR, postfix is working, if I open the local mailboxes with mutt running on the server I do see email coming in as expected, from mailing lists and our correspondents
output of dovecot -n is below
both "ss -tuln | grep 993" and "netstat -tanp" show NO activity /presence on port 993
BUT, running "service dovecot status" (see output below, I only changed server and user name) I noticed a failed authentication attempt from SOMEUSER2, happened ~15/20 minutes before I checked, where "SOMEUSER" (without the trailing "2") is an ACTUAL user of the old server, and 200.89.159.59 an IP address I don't know (not my desktop's for sure, and AFAIK no legitimate user is trying to use the server at this time, they know I'm rebuilding it...)
Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration?
Thanks, Marco
######################################### OUTPUT of dovecot -n (actual domain name changed to example.com)
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9: ssl_dh_parameters_length is no longer needed # OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4 # Hostname: nexaima auth_debug = yes auth_verbose = yes auth_verbose_passwords = plain mail_debug = yes mail_location = maildir:/var/mail/mymail_storage/base/ mbox_write_locks = fcntl passdb { args = /etc/imap.v_users driver = passwd-file } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_cipher_list = ALL ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/imap.v_users driver = passwd-file } userdb { driver = passwd } verbose_ssl = yes
######################################################
FULL OUTPUT OF "service dovecot status":
root@example:/# service dovecot status ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; preset: enabled) Active: active (running) since Tue 2025-01-21 23:41:45 UTC; 5h 24min ago Docs: man:dovecot(1) https://doc.dovecot.org/ Main PID: 35241 (dovecot) Status: "v2.3.21 (47349e2482) running" Tasks: 5 (limit: 4543) Memory: 3.6M (peak: 5.5M) CPU: 503ms CGroup: /system.slice/dovecot.service ├─35241 /usr/sbin/dovecot -F ├─35242 dovecot/anvil ├─35243 dovecot/log ├─35246 dovecot/config └─35323 dovecot/stats
Jan 22 04:49:06 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: pam(SOMEUSER2,200.89.159.59): #1/1 style=1 > Jan 22 04:49:06 example auth[37492]: pam_unix(dovecot:auth): check pass; user unknown Jan 22 04:49:06 example auth[37492]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=SOMEUSER2 rhost=200.89.159.59 Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: pam(SOMEUSER2,200.89.159.59): pam_authenticate() f> Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: pam(SOMEUSER2,200.89.159.59): Finished pass> Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): auth-worker<2>: Finished: password_mismatch Jan 22 04:49:08 example dovecot[35243]: auth: Debug: pam(SOMEUSER2,200.89.159.59): Finished passdb lookup Jan 22 04:49:08 example dovecot[35243]: auth: Debug: auth(SOMEUSER2,200.89.159.59): Auth request finished Jan 22 04:49:10 example dovecot[35243]: auth: Debug: client passdb out: FAIL 2 user=SOMEUSER2 Jan 22 04:50:06 example dovecot[35243]: auth-worker(37492): Debug: conn unix:auth-worker (pid=37491,uid=111): Disconnected: Connection closed (fd=-1) lines 1-27/27 (END)
On 22/01/2025 07:26 EET Marco Fioretti via dovecot <dovecot@dovecot.org> wrote: Greetings, I just woke up and went back to try to diagnose the problem I first reported in my other thread, and noticed something weird. After your suggestions, the situation is as follow: 0) FTR, postfix is working, if I open the local mailboxes with mutt running on the server I do see email coming in as expected, from mailing lists and our correspondents 1) output of dovecot -n is below 2) both "ss -tuln | grep 993" and "netstat -tanp" show NO activity /presence on port 993 3) BUT, running "service dovecot status" (see output below, I only changed server and user name) I noticed a failed authentication attempt from SOMEUSER2, happened ~15/20 minutes before I checked, where "SOMEUSER" (without the trailing "2") is an ACTUAL user of the old server, and 200.89.159.59 an IP address I don't know (not my desktop's for sure, and AFAIK no legitimate user is trying to use the server at this time, they know I'm rebuilding it...) Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration? Thanks, Marco Try adding protocols = imap Aki
Il giorno mer 22 gen 2025 alle ore 06:37 Aki Tuomi < aki.tuomi@open-xchange.com> ha scritto:
On 22/01/2025 07:26 EET Marco Fioretti via dovecot <dovecot@dovecot.org> wrote:
Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration?
Thanks, Marco
Try adding
protocols = imap
Aki
Hi Aki,
adding this right before the service imap-login part of dovecot.conf worked, thanks!
Now, what about that authorization attempt? What happened, why, how... and is that as sign of some weakness in the system, and how should I fix it?
Thanks, Marco
On 22/01/2025 07:49 EET Marco Fioretti via dovecot <dovecot@dovecot.org> wrote:
Il giorno mer 22 gen 2025 alle ore 06:37 Aki Tuomi < aki.tuomi@open-xchange.com> ha scritto:
On 22/01/2025 07:26 EET Marco Fioretti via dovecot <dovecot@dovecot.org> wrote:
Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration?
Thanks, Marco
Try adding
protocols = imap
Aki
Hi Aki,
adding this right before the service imap-login part of dovecot.conf worked, thanks!
Now, what about that authorization attempt? What happened, why, how... and is that as sign of some weakness in the system, and how should I fix it?
Thanks, Marco
I'd guess it's coming via postfix.
Aki
sorry, I must be missing something. Why would postfix be talking directly to dovecot? Or play middleman between some external entity and dovecot? Or did you mean something else?
Thanks
Il giorno mer 22 gen 2025 alle ore 07:35 Aki Tuomi < aki.tuomi@open-xchange.com> ha scritto:
On 22/01/2025 07:49 EET Marco Fioretti via dovecot <dovecot@dovecot.org> wrote:
Il giorno mer 22 gen 2025 alle ore 06:37 Aki Tuomi < aki.tuomi@open-xchange.com> ha scritto:
On 22/01/2025 07:26 EET Marco Fioretti via dovecot < dovecot@dovecot.org> wrote:
Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration?
Thanks, Marco
Try adding
protocols = imap
Aki
Hi Aki,
adding this right before the service imap-login part of dovecot.conf worked, thanks!
Now, what about that authorization attempt? What happened, why, how... and is that as sign of some weakness in the system, and how should I fix it?
Thanks, Marco
I'd guess it's coming via postfix.
Aki
On Wed, 22 Jan 2025, Marco Fioretti via dovecot wrote:
sorry, I must be missing something. Why would postfix be talking directly to dovecot? Or play middleman between some external entity and dovecot? Or did you mean something else?
Postfix (which is likely to be your SMTP server) uses (very often) Dovecot for the SASL authentication.
The communication between Postfix and Dovecot is usually via a Unix socket and not IMAP, which explains why it was (always) working even if IMAP wasn't working.
Check postconf -n and you will likely have something like
.. smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth ..
I'd advise you to put the server offline (or firewalled appropriately) until you have everything set up, to avoid making things worse.
Good luck! Bernardo
Thanks
Il giorno mer 22 gen 2025 alle ore 07:35 Aki Tuomi < aki.tuomi@open-xchange.com> ha scritto:
On 22/01/2025 07:49 EET Marco Fioretti via dovecot <dovecot@dovecot.org> wrote:
Il giorno mer 22 gen 2025 alle ore 06:37 Aki Tuomi < aki.tuomi@open-xchange.com> ha scritto:
On 22/01/2025 07:26 EET Marco Fioretti via dovecot < dovecot@dovecot.org> wrote:
Now the question is, OK, that attempt may be some attacker trying to get in, this happens but... HOW is he succeeding to TRY to connect, if dovecot doesn't appear to be listening at all??? And of course, does this help in any way to figure out what is wrong with my configuration?
Thanks, Marco
Try adding
protocols = imap
Aki
Hi Aki,
adding this right before the service imap-login part of dovecot.conf worked, thanks!
Now, what about that authorization attempt? What happened, why, how... and is that as sign of some weakness in the system, and how should I fix it?
Thanks, Marco
I'd guess it's coming via postfix.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Aki Tuomi
-
Bernardo Reino
-
Marco Fioretti