[Dovecot] Attacking Dovecot

Ken A ka at pacific.net
Mon Sep 12 18:49:11 EEST 2011 

That's all normal activity (failed logins) for any internet facing 
machine. They may be dictionary attacks, or not... If they get on your 
nerves, block them. Strong passwords will help more.

Also, it's likely that you have forged mail coming in from outside, and 
not really "spam from local users" ?

If it is really locally generated, then disable the account.

Ken


On 9/9/2011 4:45 PM, Nikos Papadopoulos wrote:
> Hello,
>
>
>
> I am using Dovecot ver.1.0.7 on an x86 server with RedHat Linux Enterprise 5
> and the following configuration:
>
>
>
> # 1.0.7: /etc/dovecot.conf
>
> protocols: pop3
>
> login_dir: /var/run/dovecot/login
>
> login_executable: /usr/libexec/dovecot/pop3-login
>
> mail_location: mbox:~/mail:INBOX=/var/mail/%u
>
> mail_executable: /usr/libexec/dovecot/pop3
>
> mail_plugin_dir: /usr/lib/dovecot/pop3
>
> pop3_client_workarounds: outlook-no-nuls oe-ns-eoh
>
> auth default:
>
>    passdb:
>
>      driver: pam
>
>    userdb:
>
>      driver: passwd
>
>
>
>
>
> It seems that my mail server is being attacked by someone who tries to
> retrieve users' credentials. Please read below an output of logwatch.
>
>
>
> dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user sandra
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user tanya
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user tanya
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user dark
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user dark
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user gibson
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user frank
>
>   dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
> about
>
> user frank
>
>
>
>
>
>
>
> Besides, some of the local users receive "spam" emails, which seem to be
> sent by another local user.
>
>
>
> Please assist me on how to prevent the aforementioned attack.
>
>
>
> Best Regards,
>
>
>
> Nikos
>
>
>
>

-- 
Ken Anderson
Pacific Internet - http://www.pacific.net
Latest Pacific.Net Status - http://twitter.com/pacnetstatus

More information about the dovecot mailing list