[Dovecot] Lots of pop3-logins

Timo Sirainen tss at iki.fi
Thu Jun 25 22:46:04 EEST 2009


You can also just decrease login_process_max_count. If Dovecot reaches
the limit, it'll just start killing off old connections that haven't
logged in.

And yeah, some day I should also make Dovecot kill some of the login
processes after many of them have been idling for a while.

On Thu, 2009-06-25 at 14:33 -0500, Rodman Frowert wrote:
> Well, after going through my log files, I was hit with a dictionary based 
> attack.  My maillog is full of about 20,000 lines of crap like this:
> 
> Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1 
> attempts): user=<warren>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1 
> attempts): user=<williams>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:04 mail dovecot: pop3-login: Aborted login (auth failed, 1 
> attempts): user=<www>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1 
> attempts): user=<wilson>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1 
> attempts): user=<willy>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> Jun 21 23:06:05 mail dovecot: pop3-login: Aborted login (auth failed, 1 
> attempts): user=<valerie>, method=PLAIN, rip=68.14.228.186, lip=10.10.11.2
> 
> Starts with "A" and runs all the way to "Z".  The IP traces back to cable 
> modem subscriber on Cox Communications out of Arizona.  I'll shoot them off 
> my "standard" attack e-mail.
> 
> In the meantime, I need to modify fail2ban so that it checks the maillog for 
> failed pop3 auth logins and bans IP's so this won't happen again.
> 
> Rodman
> 
> ----- Original Message ----- 
> From: "V S Rao" <viriyala at yahoo.com>
> To: <dovecot at dovecot.org>
> Sent: Thursday, June 25, 2009 1:15 PM
> Subject: Re: [Dovecot] Lots of pop3-logins
> 
> 
> >
> >> > Doing a "ps aux" on my Slackware box, I have approx 100  PID's of 
> >> > "pop3-login's going on.  This is a production mail server, but it is 
> >> > getting VERY low traffic.  In fact, only 3 people can "pop3" into it. 
> >> > I've check their e-mail clients, and they are not checking mail any 
> >> > more often than every 5 minutes.
> >> >
> >> > This is a new installation and I've had the server up and running since 
> >> > Sunday.  If it matters, I'm using Postfix for the MTA and using the 
> >> > Dovecot SASL library to AUTH SMTP.
> >> >
> >> > Is this a cause for concern?  Why does Dovecot need this many 
> >> > processes?
> >> >
> >>
> >> >> Because dovecot preforks the *-login processes to speed-up the login.
> >>
> >> >> No need to worry.
> >>
> >> 100 login sessions for just 3 connections? That is not right, no matter 
> >> what.
> >
> >>> No, login_processes_count matters.
> >
> > How? If my understanding is correct, you have extra 3 login processes 
> > created to cater to new connections. So with only 3 POP3 users, why should 
> > so many login processes be spawned? I can understand 10-15. But 100 
> > definitely indicates either the processes are not dying or something else 
> > happening on the system which is causing such high number of login 
> > processes. The system definitely needs to be checked for some kind of 
> > attack, a rogue process running on the system or something else.
> >
> > Regards
> > --Rao
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090625/e285b5eb/attachment.bin 


More information about the dovecot mailing list