Deafness

alvin alvin.sm at Mail.Linux-Consulting.com
Wed Jul 29 15:12:26 UTC 2015 

hi ya

On Tue, Jul 28, 2015 at 11:35:31PM -0400, Chris Ross wrote:
> 
> > On Jul 28, 2015, at 21:52 , Steffan Cline <steffan at hldns.com> wrote:
> > 
> > Ok, I think I have come a little further.
> > 
> > When dovecot stops accepting connections, I checked netstat and found this:
> > 
> > [root at hosting1 ~]#  netstat -an | grep 993
> > tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      
> > tcp        0      0 65.39.x.x:993            184.101.x.x:36351        SYN_RECV    
> > tcp        0      0 65.39.x.x:993            107.212.x.x:51487        SYN_RECV    
> > tcp        0      0 65.39.x.x:993            107.212.x.x:51488        SYN_RECV    
> > tcp        0      0 65.39.x.x:993            184.101.x.x:44650        SYN_RECV    

are you sure thee are legitimate incoming imaps connections from those 107.212.x.x IP# address ??

they could just be probing your server for vulnerability before attacking
what ports are used or not ... etc etc..

the fact that doveocot replies to telnet localhost 993 is a good thing,
that imaps "should work" ...

you can also go one step further and check the certs belong to you:
	outsidePC# openssl s_client -connect imaps.your-domain.com:993

if it is your own real connnections attempts from your customers/employee,
you might have a problem, that requires more info ...

if you do NOT receognized those IP#, don't worry, except that you do need
to add imaps and pop3s into /etc/hosts.allow to allow legit connectons
and all other script kiddies should be dropped.  similarly, your firewall
should be configured to tarpit un-authorized new tcp connections to port 993

> > This told me it wasn???t too many connections causing dovecot to be unresponsive. So then I tried via telnet.
> > 
> > Dovecot seems to accept connections but then just sits there and does nothing. I used the appropriate commands to try and initiate a login but nothing happens. Typing any commands at all produce no response from dovecot.
> 
>   Actually, I think the above shows that it???s not a dovecot problem.  A socket in a SYN_RECV state means that a connection request has been merely been received from the network.  That means your kernel has not finished establishing the TCP connection, so dovecot (or the application level in general) is likely not even involved yet.  I would suspect some sort of firewall config on your host, or perhaps some sort of overload at the network stack level.  But, the latter only if the server were very heavily loaded.

ditto

>   I hope this feedback is helpful.

pixie dust
alvin
- http://NetworkNightmare.net/OpenSSL

More information about the dovecot mailing list