Good time of the day, Federico.
Thank You, Federico, for Your time and answer. You wrote: > > Could You please comment this auth. failure: > > > > localhost auth: pam_unix(dovecot:auth): authentication failure; > > logname= uid=0 euid=0 tty=dovecot ruser=null rhost=91.201.64.249 > > > > ? > > > > As I understand this - one tried to login to dovecot - but dovecot > > was > What do you mean for "dovecot". Dovecot manages various services: > > 110 POP > 143 IMAP > 2000 or 4190 MANAGESIEVE > > Do you are sure you blocked all dovecot ports? You have understood me absolutely correct! That I meant, and all those ports were closed for public networks - only for local network addresses dovecot was accessible. > Can you make a scan port to your host and verify that your firewall > works as you expected? Sure. Nmap says it is filtered. > If you saved the logs, then you also have the dovecot logs in > mail.log, did you find the entry that correspond with this line in > auth.log? Then you can know to what dovecot process the "attacker" > connected. The question is from where (rhost / lprocess) the attack was made - rather than which dovecot process responded. We see that FW has closed all the dovecot ports yet the attack had a place. Also we can not specify what exactly that string of pam_unix mean - the variables it gives - sure, the one who will be able to intrepret it will shed the light on the situation. Thank You for help, Federico. Sthu. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51078ac2.a465700a.4685.ffffe...@mx.google.com