Re: localhost logins

2017-06-28 Thread Joseph Tam 



Jun 27 12:03:27 bubba dovecot: auth:
ldap(someu...@mydomain.com,127.0.0.1): invalid credentials

The only other thing I can think of - Postfix runs on this server and
uses Dovecot SASL.  Is it possible the Dovecot auth log line is caused
by a Postfix connection attempt?


That would have been my first guess.  Why don't you actually try it
out (i.e. login in to SMTP with bad credentials) and see if the
mysterious log entry appears.

# Create bogus SMTP auth string
AUTH=`echo "\0user\0badpassword\c" | openssl enc -base64`

# SMTP session commands
echo "EHLO test.client.helo\nAUTH PLAIN $PW\nQUIT" >data

# Use whichever command your Postfix supports "250-AUTH PLAIN"
#   - if you greet pause, you'll have to enter data manually
netcat -C mailserver 25

Re: localhost logins

2017-06-27 Thread Daniel Miller 

On 6/27/2017 1:33 AM, Daniel Miller wrote:

On 6/27/2017 12:42 AM, Fabian Schmidt wrote:


Am 26.06.17 schrieb Daniel Miller:


On 2017-06-23 15:09, Marcus Rueckert wrote:

On Fri, 23 Jun 2017 11:38:28 -0700
Daniel Miller  wrote:


While auditing my logs after an account was compromised, I see a
number of entries like:

Jun 23 11:32:18 bubba dovecot: auth:
ldap("one-of-my-accounts",127.0.0.1): invalid credentials


webmail?


Nagios or someone else monitoring dovecot?


Not running such - and they wouldn't be hitting multiple accounts.

Now I'm more confused.  I changed Dovecot to listen only on a specific 
IP address - and I still see localhost log lines:


Jun 27 12:03:27 bubba dovecot: auth: 
ldap(someu...@mydomain.com,127.0.0.1): invalid credentials


The only other thing I can think of - Postfix runs on this server and 
uses Dovecot SASL.  Is it possible the Dovecot auth log line is caused 
by a Postfix connection attempt?


Daniel

Re: localhost logins

2017-06-27 Thread Daniel Miller 

On 6/27/2017 12:42 AM, Fabian Schmidt wrote:


Am 26.06.17 schrieb Daniel Miller:


On 2017-06-23 15:09, Marcus Rueckert wrote:

On Fri, 23 Jun 2017 11:38:28 -0700
Daniel Miller  wrote:


While auditing my logs after an account was compromised, I see a
number of entries like:

Jun 23 11:32:18 bubba dovecot: auth:
ldap("one-of-my-accounts",127.0.0.1): invalid credentials


webmail?


Nagios or someone else monitoring dovecot?


Not running such - and they wouldn't be hitting multiple accounts.

Daniel

Re: localhost logins

2017-06-27 Thread Fabian Schmidt 


Am 26.06.17 schrieb Daniel Miller:


On 2017-06-23 15:09, Marcus Rueckert wrote:

On Fri, 23 Jun 2017 11:38:28 -0700
Daniel Miller  wrote:


While auditing my logs after an account was compromised, I see a
number of entries like:

Jun 23 11:32:18 bubba dovecot: auth:
ldap("one-of-my-accounts",127.0.0.1): invalid credentials


webmail?


Nagios or someone else monitoring dovecot?


Fabian.

Re: localhost logins

2017-06-26 Thread Daniel Miller 

On 2017-06-23 15:09, Marcus Rueckert wrote:

On Fri, 23 Jun 2017 11:38:28 -0700
Daniel Miller  wrote:


While auditing my logs after an account was compromised, I see a
number of entries like:

Jun 23 11:32:18 bubba dovecot: auth:
ldap("one-of-my-accounts",127.0.0.1): invalid credentials


webmail?


I thought that as well - because I do have a webmail service - but 
that's on a separate virtual server (admittedly, running on this host).  
So that shouldn't give me a localhost IP.  I also don't see anything in 
the webmail logs corresponding to the dovecot logs.


---
Daniel

Re: localhost logins

2017-06-23 Thread Marcus Rueckert 
On Fri, 23 Jun 2017 11:38:28 -0700
Daniel Miller  wrote:

> While auditing my logs after an account was compromised, I see a
> number of entries like:
> 
> Jun 23 11:32:18 bubba dovecot: auth: 
> ldap("one-of-my-accounts",127.0.0.1): invalid credentials

webmail?


-- 
  openSUSE - SUSE Linux is my linux
  openSUSE is good for you
  www.opensuse.org

localhost logins

2017-06-23 Thread Daniel Miller 
While auditing my logs after an account was compromised, I see a number 
of entries like:


Jun 23 11:32:18 bubba dovecot: auth: 
ldap("one-of-my-accounts",127.0.0.1): invalid credentials


I'm trying to figure out where this login attempt is coming from.  I do 
run ASSP (an SMTP proxy) on this server, as well as Postfix - but I 
wouldn't think there'd be any communication with Dovecot for those?


Postfix does use Dovecot SASL - but I see separate log entries for 
Postfix authentication failures.


There are of course plenty of external IP's listed in Dovecot logs - I'm 
just asking for possible causes for the localhost entries.


--
Daniel