Non-user logins?
Dave McGuire
mcguire at neurotica.com
Sat Jan 8 04:39:20 UTC 2022
On 1/7/22 11:35 PM, Ken Wright wrote:
>>> My Dovecot issues continue. Right now I see at least two issues:
>>> first, my logs consistently show non-users trying (and failing) to
>>> log in, and I'm still unable to log in from my email client
>>> (Evolution or Roundcube, either one).
>>>
>>> I'll post about the second issue later; right now I wonder why I'm
>>> getting so many non-users trying to log in. Am I the subject of
>>> concerted hacking attacks, or is there something else going on?
>>> Some of the attempted logins are more-or-less random names claiming
>>> to be @mydomain, but at least one is a username that's really on my
>>> server, to wit:
>>>
>>> Jan 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server:
>>> conn unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com:
>>> Failed to lookup user www-data at mydomain.com: Internal error
>>> occurred. Refer to server log for more information.
>>>
>>> (Another quick question: which server log should I check?)
>>>
>>> So, if anyone can tell me what's going on with all these logins,
>>> I'd be much obliged!
>>
>> I see them all the time on the mail servers I run. Typical kids
>> trying to mess with other peoples' stuff. I run fail2ban to catch
>> those log entries and block the source IP address for a month on the
>> first failed login. At any one time I have between 12,000 and 15,000
>> addresses in my blocked list for IMAP.
>
> Dave, that's exactly the kind of answer I was looking for. Fail2ban,
> huh? I'll have to check that out.
I run it under Solaris (SmartOS), but it's available on most
platforms now.
> Thanks again!
I'm happy to be of assistance. Good luck.
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
More information about the dovecot
mailing list