thr3ads.net - dovecot - [Dovecot] Wrong remote IP (rip) in mail.log using IMAP login [Apr 2011]

If this information is useful, please help other people find it:
Share via:

tyli

2011-Apr-15 08:57 UTC

[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

Dear list users

While trying to secure our dovecot server with fail2ban I came across
the following problem:
We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login
attempts are logged with our firewall as the remote ip.

Example:
Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6
attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3

Therefore I would ban 192.168.0.1 which means that I ban EVERY user.

Funny thing is that POP3 login attempts are logged correctly:
Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1
attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55,
lip=192.168.0.3

Any ideas how to change this?

Thanks in advance
tyli

Marcin Mirosław

2011-Apr-15 09:00 UTC

head link

[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

W dniu 15.04.2011 10:57, tyli pisze:> Dear list users
> 
> While trying to secure our dovecot server with fail2ban I came across
> the following problem:
> We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login
> attempts are logged with our firewall as the remote ip.
> 
> Example:
> Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6
> attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
> 
> Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
> 
> Funny thing is that POP3 login attempts are logged correctly:
> Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55,
lip=192.168.0.3
> 
Hi!
Do simple check, try run tcpdump port imap and check if rempte address
ip is local or is it remote?
Reagrds,
Marcin

Johan Hendriks

2011-Apr-15 09:29 UTC

head link

[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

tyli schreef:> Dear list users
>
> While trying to secure our dovecot server with fail2ban I came across
> the following problem:
> We use dovecot (1.2.9, ubuntu package) behind a NAT, and failed login
> attempts are logged with our firewall as the remote ip.
>
> Example:
> Apr 15 08:36:26 mail dovecot: imap-login: Disconnected (auth failed, 6
> attempts): user=<xy>, method=PLAIN, rip=192.168.0.1, lip=192.168.0.3
>
> Therefore I would ban 192.168.0.1 which means that I ban EVERY user.
>
> Funny thing is that POP3 login attempts are logged correctly:
> Apr 13 11:05:50 mail dovecot: pop3-login: Disconnected (auth failed, 1
> attempts): user=<sgvyniwx>, method=PLAIN, rip=217.81.27.55,
lip=192.168.0.3
>
> Any ideas how to change this?
>
> Thanks in advance
> tyliCould it be that imap is through webmail?

regards,
Johan

dovecot - Apr 2011 - Wrong remote IP (rip) in mail.log using IMAP login

[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login

[Dovecot] Wrong remote IP (rip) in mail.log using IMAP login