While auditing my logs after an account was compromised, I see a number of entries like:
Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials
I'm trying to figure out where this login attempt is coming from. I do run ASSP (an SMTP proxy) on this server, as well as Postfix - but I wouldn't think there'd be any communication with Dovecot for those?
Postfix does use Dovecot SASL - but I see separate log entries for Postfix authentication failures.
There are of course plenty of external IP's listed in Dovecot logs - I'm just asking for possible causes for the localhost entries.
-- Daniel
On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Miller <dmiller@amfes.com> wrote:
While auditing my logs after an account was compromised, I see a number of entries like:
Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials
webmail?
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
On 2017-06-23 15:09, Marcus Rueckert wrote:
On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Miller <dmiller@amfes.com> wrote:
While auditing my logs after an account was compromised, I see a number of entries like:
Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials
webmail?
I thought that as well - because I do have a webmail service - but
that's on a separate virtual server (admittedly, running on this host).
So that shouldn't give me a localhost IP. I also don't see anything in
the webmail logs corresponding to the dovecot logs.
Daniel
Am 26.06.17 schrieb Daniel Miller:
On 2017-06-23 15:09, Marcus Rueckert wrote:
On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Miller <dmiller@amfes.com> wrote:
While auditing my logs after an account was compromised, I see a number of entries like:
Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials
webmail?
Nagios or someone else monitoring dovecot?
Fabian.
On 6/27/2017 12:42 AM, Fabian Schmidt wrote:
Am 26.06.17 schrieb Daniel Miller:
On 2017-06-23 15:09, Marcus Rueckert wrote:
On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Miller <dmiller@amfes.com> wrote:
While auditing my logs after an account was compromised, I see a number of entries like:
Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials
webmail?
Nagios or someone else monitoring dovecot?
Not running such - and they wouldn't be hitting multiple accounts.
Daniel
participants (3)
-
Daniel Miller
-
Fabian Schmidt
-
Marcus Rueckert