On 04/01/2026 23:29, Bryan Simmons via dovecot wrote:
Log contains several messages from dovecot that are not clear to me
exactly what is occurring, single example below. These appear to be
login attempts for the same group of non existent user ids from
various rip addresses. Am I interpreting these correctly and, if so,
is there any issue with just ignoring them?
dovecot: pop3-login: Disconnected: Connection closed (auth failed, 1
attempts in 0 secs): user=<[email protected]>, rip=0.0.0.0
Thank you, Bryan
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Hi Bryan
yes these are authentication failures. In general these are going to be
compromised servers/devices where the purpose could be to try to steal
login credentials by password guessing, potentially then to use them for
smtp authentication to send out spam emails.
To be extremely pragmatic as long as it is for non existent users, they
are never going to succeed in logging in whatever password is used. The
issue would be if they are also for existent users, since leaving these
compromised servers/devices hammering away, they may eventually guess a
right password, depending on how strong your password policies are.
Attacks against pop3, imap and managesieve are fewer than against smtp
auth, but they do still happen.
Fail2ban may be useful in blocking the ip addresses, though the
attackers will just change ip address, and you'll end up with quite a
number of ip blocks. But that is preferable to leaving them try over and
over again with the risk they will eventually succeed.
Personally I find it helpful to use the Spamhaus XBL and never accept
connection attempts from compromised ips. However as others have pointed
out, this is not the generally recommended approach. It happens to work
for me since I am not expecting users to have ips in XBL and it gets rid
of most of the malintentioned connections.
John
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
