[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

Marcin Mirosław marcin at mejor.pl
Fri Apr 15 12:00:39 EEST 2011


W dniu 15.04.2011 10:57, tyli pisze:
> Dear list users
> 
> While trying to secure our dovecot server with fail2ban I came across
> the following problem:
> We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login
> attempts are logged with our firewall as the remote ip.
> 
> Example:
> Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6
> attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
> 
> Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
> 
> Funny thing is that POP3 login attempts are logged correctly:
> Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55, lip=192.168.0.3
> 

Hi!
Do simple check, try run tcpdump port imap and check if rempte address
ip is local or is it remote?
Reagrds,
Marcin


More information about the dovecot mailing list