[Dovecot] auth trouble

Joseph Tam jtam.home at gmail.com
Wed Jun 6 01:21:51 EEST 2012

Glenn English wrote:

>> Maybe someone is brute forcing your server's Postfix authenticated
>> SMTP service since Postfix can be configured to use Dovecot's SASL
>> authentication framework.
> and for the suggestion -- I do have Postfix using Dovecot-Auth checking
> for SASL.
> I think I'm going to re-install and run Tripwire...

Tripwire?  If the purpose of your query is to automate blocking of brute
forcers, this software is not what you want (which detects tampering of
critical system files).

I suggest trying to find where Postfix failed login reports go, then use
your fail2ban or what-have-you to detect and block hosts that repeatedly
fail authentication.

 	(First Google hit I did on this subject)

The log entries might look like

 	{timestamp} {servername} postfix/smtpd[{pid}]: lost connection after AUTH
 		from {remote-hostname}[{remote-ip}]

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list