[Dovecot] dovecot dictionary attacks

PA razor at meganet.net
Thu Nov 11 19:57:46 EET 2010


Timo,

Yes postfix is configured for SASL so the spammer ip was able to relay email
after it obtained the account info. 
My concern is how the spammer got the user/pass in the 1st place since
nowhere on the dovecot logs do I see that particular user attempting to
login with the wrong/correct password etc. I should be able to see all login
attempts correct if the user/pass was obtained through a dict. attack? Is
that's the case then most likely the user/password was obtained from the
user's PC and not guessed on the mail server. I am trying to make sense of
what happened and to make sure im not overlooking something on dovecot. 

-----Original Message-----
From: Timo Sirainen [mailto:tss at iki.fi] 
Sent: Wednesday, November 10, 2010 8:22 PM
To: PA
Cc: dovecot at dovecot.org
Subject: Re: [Dovecot] dovecot dictionary attacks


On 10.11.2010, at 23.03, PA wrote:

> However on my smtp mail server that ip is already sending out all sorts of
> spam with the sasl username of Paramus. This username Paramus never shows
up
> on the dovevot dictionary attack, as a matter of fact the user Paramus is
> nowhere to be found on the dovecot log at all and I have logs going back
> months. 
> 
> I'm just not sure how they guess the username/password as its not on any
> logs that goes back months and I don't have a dovecot record for that
user. 

Well, probably obvious, but since you didn't explicitly say: You have
configured Postfix to use Dovecot for authentication, not Cyrus SASL,
right?..



More information about the dovecot mailing list