Re: [Dovecot] Auth message
On Aug 8, 2008, at 2:01 AM, Pavel Shirov wrote: Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=ttejmgpfip, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x This looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me. It's prefixed with pop3-login, so it was the pre-login process that disconnected the client. The user couldn't have logged in. Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done: rc15 is pretty old. The logging messages (and a lot of other stuff) have improved since then. password_query = SELECT password FROM mailbox WHERE active = '1' AND (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u') user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, domain FROM mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u' Dovecot escapes all the usernames, and actually unless you've changed auth_username_chars it doesn't even let any weird characters near the SQL queries. PGP.sig Description: This is a digitally signed message part
[Dovecot] Auth message
Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=ttejmgpfip, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x This looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me. I have no such user named ttejmgpfip exits ofc. I've check what dovecot writes to log if try PLAIN login method with random login/password, and it's Aborted login. As I'm using SQL backend for user/pass database, I'm afraid that I might have something misconfigured and a possible sql-injection or something else allowed attacker to login with random password. Or my worries are groundless and I can get such message in some case of unsuccessful login? Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done: default_pass_scheme = MD5 password_query = SELECT password FROM mailbox WHERE active = '1' AND (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u') user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, domain FROM mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u' I have such query so it is possible for a user to login either as [EMAIL PROTECTED] or just as user (I have single domain).
Re: [Dovecot] Auth message
Further testing show that such message could occur simply by providing random username/password and termination session afterwards (not sending QUIT).
Re: [Dovecot] Auth message
On 8/8/2008, Pavel Shirov ([EMAIL PROTECTED]) wrote: Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=ttejmgpfip, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x grep the logs for this user? Running dovecot 1.0.rc15 upgrade... this is ANCIENT and buggy... -- Best regards, Charles
