[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

Marcin Mirosław marcin at mejor.pl
Fri Apr 15 12:00:39 EEST 2011

W dniu 15.04.2011 10:57, tyli pisze:
> Dear list users
> While trying to secure our dovecot server with fail2ban I came across
> the following problem:
> We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login
> attempts are logged with our firewall as the remote ip.
> Example:
> Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6
> attempts): user=<xy>, method=PLAIN, rip=, lip=
> Therefore I would ban which means that I ban EVERY user.
> Funny thing is that POP3 login attempts are logged correctly:
> Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<sgvyniwx>, method=PLAIN, rip=, lip=

Do simple check, try run tcpdump port imap and check if rempte address
ip is local or is it remote?

More information about the dovecot mailing list