Possible attack?

[Daniel Miller]

I found an error in my log today...

Dec 17 12:03:30 bubba dovecot: 
imap(user1 at amfes.com)<23017><VzQFnjx9WNAKO2EC>: Error: fts_solr: 
received invalid uid '0'
Dec 17 12:04:44 bubba dovecot: 
imap(user2 at amfes.com)<25004><FeHDSj19i2ysOCn7>: Fatal: master: 
service(imap): child 25004 killed with signal 11 (core dumps disabled - 
https://dovecot.org/bugreport.html#coredumps)

I've now enabled core dumps (I think) and restarted - if it comes back 
hopefully I can get a backtrace.  But reading that fts_solr message, and 
some other comments, leads me to wonder - could this be caused by 
someone/thing trying to authenticate as root?

On that theory - I tried doing so via telnet - and received:

Dec 17 15:06:02 bubba dovecot: auth: Error: 
plain(ultradeitytypeperson at amfes.com,127.0.0.1,<4kQr0z99UMZ/AAAB>): user 
not found from any userdbs
Dec 17 15:06:02 bubba dovecot: imap: Error: Authenticated user not found 
from userdb, auth lookup id=3522297857 (auth connected 1 msecs ago, 
handshake 0 msecs ago, request took 1 msecs, client-pid=29572 client-id=1)

I have root's email aliased to a valid user's email.  I'm not sure how 
I'm able to authenticate as root - there isn't a root user defined in my 
LDAP database and that should be the only auth backend enabled for 
Dovecot.  Or do I need to explicitly block local users from /etc/passwd 
on the server?  The only auth databases shown in doveconf -n:

userdb {
   driver = prefetch
}
userdb {
   args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
passdb {
   args = /usr/local/etc/dovecot/master-users
   driver = passwd-file
   master = yes
}
passdb {
   args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}

and "master-users" doesn't list root either.

-- 
Daniel