Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x This looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me. I have no such user named ttejmgpfip exits ofc. I've check what dovecot writes to log if try PLAIN login method with random login/password, and it's "Aborted login". As I'm using SQL backend for user/pass database, I'm afraid that I might have something misconfigured and a possible sql-injection or something else allowed attacker to "login" with random password. Or my worries are groundless and I can get such message in some case of unsuccessful login? Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done: default_pass_scheme = MD5 password_query = SELECT password FROM mailbox WHERE active = '1' AND (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u') user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, domain FROM mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR username '%u' I have such query so it is possible for a user to login either as user at domain or just as user (I have single domain).
Further testing show that such message could occur simply by providing random username/password and termination session afterwards (not sending QUIT).
On 8/8/2008, Pavel Shirov (nstorm0.0 at gmail.com) wrote:> Recently my network was scanned. Various services was scanned, and checking > the logs of mail server the following string draw my attention: > mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>, method=PLAIN, > rip=87.228.15.180, lip=x.x.x.xgrep the logs for this user?> Running dovecot 1.0.rc15upgrade... this is ANCIENT and buggy... -- Best regards, Charles
On Aug 8, 2008, at 2:01 AM, Pavel Shirov wrote:> Recently my network was scanned. Various services was scanned, and > checking > the logs of mail server the following string draw my attention: > mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>, > method=PLAIN, > rip=87.228.15.180, lip=x.x.x.x > > This looks weird to me, because pop3-login: Disconnected looks like > succesful login attempt to me.It's prefixed with "pop3-login", so it was the pre-login process that disconnected the client. The user couldn't have logged in.> Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done:rc15 is pretty old. The logging messages (and a lot of other stuff) have improved since then.> password_query = SELECT password FROM mailbox WHERE active = '1' AND > (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u') > user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, > domain FROM > mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR > username > '%u'Dovecot escapes all the usernames, and actually unless you've changed auth_username_chars it doesn't even let any weird characters near the SQL queries. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080812/898bf9a6/attachment-0002.bin>