[Dovecot] dovecot dictionary attacks
Hi, I been using dovecot for awhile and its been solid, however I been having some issues with dictionary attacks. I installed fail2ban and for the most part is working fine. However today I got another spammer relaying through my server. Looking at the logs I see the following dictonary attack from 94.242.206.37 Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37, lip=209.213.66.10 Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp=hidden Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp=hidden Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp=hidden Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp=hidden Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp=hidden Nov 10 03:04:38 pop dovecot: auth(default): shadow(ababa,94.242.206.37): lookup . And so on.. Then that ip gets banned by fail2ban [r...@pop ~]# grep 94.242.206.37 /var/log/fail2ban.log 2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban 94.242.206.37 However on my smtp mail server that ip is already sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovevot dictionary attack, as a matter of fact the user Paramus is nowhere to be found on the dovecot log at all and I have logs going back months. Does anyone have any idea what could of happened here. I mean if the user/passwd was already harvested by 94.242.206.37 why would they bother to start another dict. attack. I'm just not sure how they guess the username/password as its not on any logs that goes back months and I don't have a dovecot record for that user. /var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]: 3B64928015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]: 247AB28016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]: 87DE128016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]: 9728628015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]: D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]: DDF7C2801B: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus Any help would be appreciated. paul
Re: [Dovecot] dovecot performance question
Jason, im also using virtual server software from virtual iron. I will be also moving this off the virtual server and on to a dell 1900. Did you notice better performance once you moved away from vmware ? Thanks, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Godsey Sent: Tuesday, May 29, 2007 10:19 PM To: dovecot@dovecot.org Cc: Paul A Subject: Re: [Dovecot] dovecot performance question I had this problem when running under vmware (time slippage). I took vmware out of the loop and all is well. Also, you should be using ntpd, not cron and ntpdate -b. Paul A wrote: Hi, using the latest dovecot with pop3/imap. Using mostly outlook 2003 for pop3 and squirrel mail imap. I have a lot of users reporting back that imap is very slow. We average about 300 imap and another 700 pop session at any given time. Here's my config: disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_greeting: Cape.Com D-V.1 ready. login_processes_count: 14 max_mail_processes: 9000 mail_location: maildir:/home/%1u/%u/Maildir mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %v.%u pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: count: 4 passdb: driver: pam userdb: driver: passwd I'm trying to figure out what im doing wrong, I was seeing the same performance issues with .99. Here's what im seeing for connections, [EMAIL PROTECTED] etc]# ps aux | grep pop3 | wc -l 562 [EMAIL PROTECTED] etc]# ps aux | grep imap | wc -l 254 [EMAIL PROTECTED] etc]# I am having a time issue on this server and im not sure if its affecting dovecot. May 29 11:42:19 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. May 29 11:42:19 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. May 29 11:42:31 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. May 29 11:42:42 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. Thanks, P
Re: [Dovecot] Dovecot] dovecot performance question
Kenny, I think the time problem is related to the virtual server software I'm using. But the head node has 2 dual core intel's with 8 gig's of ram with 7,000 users. The cpu stays at about 60% idle. I will be moving away from the virtual server stuff and into a stand alone server hopefully this helps out the situation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Dail Sent: Tuesday, May 29, 2007 7:57 PM To: dovecot@dovecot.org Subject: Re: [Dovecot] Dovecot] dovecot performance question Hi, using the latest dovecot with pop3/imap. Using mostly outlook 2003 for pop3 and squirrel mail imap. I have a lot of users reporting back that imap is very slow. We average about 300 imap and another 700 pop session at any given time. reporting that imap is slow or that squirrelmail is slow? ;) How is the load average on the server? We found at our site to keep Apache/squirrelmail happy, we dedicated a server for our webmail users. Mostly being a RAM issue in that case. Just how beefy is the server you are using? I am having a time issue on this server and im not sure if its affecting dovecot. May 29 11:42:19 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. May 29 11:42:19 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. May 29 11:42:31 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. May 29 11:42:42 pop dovecot: POP3(xxx): Time just moved backwards by 1 seconds. I'll sleep now until w e're back in present. It'll affect it in that you will be having 1 sec delays frequently it seems. You should definitely look into fixing that. That is bad behavior for a busy mail server. -- Kenny Dail [EMAIL PROTECTED]
[Dovecot] locking question
Hi, I'm using Maildir with dovecot .99, I'm getting some errors with fcntl locks. Do I still need to use a locking mechanism if I'm using maildir with pop3 access. For reasons I won't go into I cant upgrade from .99 to version one at the time. I'm getting this error with some users, I have tried to manually delete the .imap.index file but the error comes back, any thoughts? May 24 12:11:21 pop imap(generalg): Timeout while waiting for release of exclusive fcntl() lock for index file /home/g/generalg/Ma ildir/.INBOX/.imap.index TIA, Paul