[Dovecot] Possible erroneous "aborted login attempts"
Aug 29 22:51:27 server1 dovecot: imap-login: Aborted login (no auth attempts): rip=(obfuscated), lip=173.50.101.12, TLS Aug 29 22:51:27 server1 dovecot: imap-login: Login: user=...........
before most every successful login, the same second of time, dovecot has the above message.
This is not a huge problem but our firewall is looking for aborted login attempts, for imap/pop3 (relevant to dovecot) dos attempts and, if many people start having problems of their packets being dropped, we will have to stop looking for the statement or lower security slightly, more attempts over a period of time before filtering.
However, thanks to your idle feature, there is less of these messages; so, I don't think we will have a problem. The only client that doesn't have a problem is our php webmail but we don't look in dovecot's log for failed attempts from here; as, it is from the same ip, to dovecot from php, constantly without reference to the user. This has been happening since 1.2.11 with us. We don't use any imap relay but was looking into imapproxy for cacheing speed and preventing advanced ddos attempts, those from users with access.
Jerrale G. errale G. SC Senior Admin
On Sun, 2010-08-29 at 23:02 -0400, Jerrale G wrote:
Aug 29 22:51:27 server1 dovecot: imap-login: Aborted login (no auth attempts): rip=(obfuscated), lip=173.50.101.12, TLS Aug 29 22:51:27 server1 dovecot: imap-login: Login: user=...........
before most every successful login, the same second of time, dovecot has the above message.
Well, there's something wrong. Have you tried manually logging in with telnet?
telnet localhost 143 a login username password
Does that log it? If not, try next from remote host. And maybe in case it's related TLS try:
openssl s_client -connect localhost:993
participants (2)
-
Jerrale G
-
Timo Sirainen