[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login
marcin at mejor.pl
Fri Apr 15 12:00:39 EEST 2011
W dniu 15.04.2011 10:57, tyli pisze:
> Dear list users
> While trying to secure our dovecot server with fail2ban I came across
> the following problem:
> We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login
> attempts are logged with our firewall as the remote ip.
> Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6
> attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
> Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
> Funny thing is that POP3 login attempts are logged correctly:
> Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<sgvyniwx>, method=PLAIN, rip=220.127.116.11, lip=192.168.0.3
Do simple check, try run tcpdump port imap and check if rempte address
ip is local or is it remote?
More information about the dovecot