Re: localhost logins
Jun 27 12:03:27 bubba dovecot: auth: ldap(someu...@mydomain.com,127.0.0.1): invalid credentials The only other thing I can think of - Postfix runs on this server and uses Dovecot SASL. Is it possible the Dovecot auth log line is caused by a Postfix connection attempt? That would have been my first guess. Why don't you actually try it out (i.e. login in to SMTP with bad credentials) and see if the mysterious log entry appears. # Create bogus SMTP auth string AUTH=`echo "\0user\0badpassword\c" | openssl enc -base64` # SMTP session commands echo "EHLO test.client.helo\nAUTH PLAIN $PW\nQUIT" >data # Use whichever command your Postfix supports "250-AUTH PLAIN" # - if you greet pause, you'll have to enter data manually netcat -C mailserver 25
Re: localhost logins
On 6/27/2017 1:33 AM, Daniel Miller wrote: On 6/27/2017 12:42 AM, Fabian Schmidt wrote: Am 26.06.17 schrieb Daniel Miller: On 2017-06-23 15:09, Marcus Rueckert wrote: On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Millerwrote: While auditing my logs after an account was compromised, I see a number of entries like: Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials webmail? Nagios or someone else monitoring dovecot? Not running such - and they wouldn't be hitting multiple accounts. Now I'm more confused. I changed Dovecot to listen only on a specific IP address - and I still see localhost log lines: Jun 27 12:03:27 bubba dovecot: auth: ldap(someu...@mydomain.com,127.0.0.1): invalid credentials The only other thing I can think of - Postfix runs on this server and uses Dovecot SASL. Is it possible the Dovecot auth log line is caused by a Postfix connection attempt? Daniel
Re: localhost logins
On 6/27/2017 12:42 AM, Fabian Schmidt wrote: Am 26.06.17 schrieb Daniel Miller: On 2017-06-23 15:09, Marcus Rueckert wrote: On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Millerwrote: While auditing my logs after an account was compromised, I see a number of entries like: Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials webmail? Nagios or someone else monitoring dovecot? Not running such - and they wouldn't be hitting multiple accounts. Daniel
Re: localhost logins
Am 26.06.17 schrieb Daniel Miller: On 2017-06-23 15:09, Marcus Rueckert wrote: On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Millerwrote: While auditing my logs after an account was compromised, I see a number of entries like: Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials webmail? Nagios or someone else monitoring dovecot? Fabian.
Re: localhost logins
On 2017-06-23 15:09, Marcus Rueckert wrote: On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Millerwrote: While auditing my logs after an account was compromised, I see a number of entries like: Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials webmail? I thought that as well - because I do have a webmail service - but that's on a separate virtual server (admittedly, running on this host). So that shouldn't give me a localhost IP. I also don't see anything in the webmail logs corresponding to the dovecot logs. --- Daniel
Re: localhost logins
On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Millerwrote: > While auditing my logs after an account was compromised, I see a > number of entries like: > > Jun 23 11:32:18 bubba dovecot: auth: > ldap("one-of-my-accounts",127.0.0.1): invalid credentials webmail? -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
localhost logins
While auditing my logs after an account was compromised, I see a number of entries like: Jun 23 11:32:18 bubba dovecot: auth: ldap("one-of-my-accounts",127.0.0.1): invalid credentials I'm trying to figure out where this login attempt is coming from. I do run ASSP (an SMTP proxy) on this server, as well as Postfix - but I wouldn't think there'd be any communication with Dovecot for those? Postfix does use Dovecot SASL - but I see separate log entries for Postfix authentication failures. There are of course plenty of external IP's listed in Dovecot logs - I'm just asking for possible causes for the localhost entries. -- Daniel