Debian Lenny, Dovecot v 1.0.15.

I'm getting a lot of what I think is a local socket asking dovecot:auth to verify username/passwords:

May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=

Note the empty 'rhost='. That's why I think it's on the server. I see others that look like bots:

May 30 23:08:43 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=200.119.139.22

And I know how to promote the latter to a firewall. But with no rhost, I'm stumped...

I've read books, googled, read docs, and asked for help on other mailing lists, and I've learned a lot. And I no longer think it really has much to do with Dovecot, other than the login attempt going through it to get to PAM.

But has anyone here seen this before? Is my current theory correct? What did you do to make it go away?

(I suspect that upgrading to Debian Squeeze might get rid of it, but I'm afraid that if I don't figure out what's going on, it might just come back.)

-- Glenn English hand-wrapped from my Apple Mail