Hello, I am using Dovecot ver.1.0.7 on an x86 server with RedHat Linux Enterprise 5 and the following configuration: # 1.0.7: /etc/dovecot.conf protocols: pop3 login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/pop3-login mail_location: mbox:~/mail:INBOX=/var/mail/%u mail_executable: /usr/libexec/dovecot/pop3 mail_plugin_dir: /usr/lib/dovecot/pop3 pop3_client_workarounds: outlook-no-nuls oe-ns-eoh auth default: passdb: driver: pam userdb: driver: passwd It seems that my mail server is being attacked by someone who tries to retrieve users' credentials. Please read below an output of logwatch. dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user sandra dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user tanya dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user tanya dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user dark dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user dark dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user gibson dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user frank dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user frank Besides, some of the local users receive "spam" emails, which seem to be sent by another local user. Please assist me on how to prevent the aforementioned attack. Best Regards, Nikos
There isn't enough information presented to assist, you'll want to refer to the wiki to increase your logging to get more detail: http://wiki.dovecot.org/Logging What you need is the system IP that's connecting as these users, if it's local, you should be able to track that system down easily. If it's remote, block it via a firewall to lock it out. Regarding the spam emails, they may or may not be coming from this same system, once you have more logging, you'll be able to verify that. Jim On Sep 9, 2011, at 4:45 PM, Nikos Papadopoulos wrote:> I am using Dovecot ver.1.0.7 on an x86 server with RedHat Linux Enterprise 5> It seems that my mail server is being attacked by someone who tries to > retrieve users' credentials.> Besides, some of the local users receive "spam" emails, which seem to be > sent by another local user.
That's all normal activity (failed logins) for any internet facing machine. They may be dictionary attacks, or not... If they get on your nerves, block them. Strong passwords will help more. Also, it's likely that you have forged mail coming in from outside, and not really "spam from local users" ? If it is really locally generated, then disable the account. Ken On 9/9/2011 4:45 PM, Nikos Papadopoulos wrote:> Hello, > > > > I am using Dovecot ver.1.0.7 on an x86 server with RedHat Linux Enterprise 5 > and the following configuration: > > > > # 1.0.7: /etc/dovecot.conf > > protocols: pop3 > > login_dir: /var/run/dovecot/login > > login_executable: /usr/libexec/dovecot/pop3-login > > mail_location: mbox:~/mail:INBOX=/var/mail/%u > > mail_executable: /usr/libexec/dovecot/pop3 > > mail_plugin_dir: /usr/lib/dovecot/pop3 > > pop3_client_workarounds: outlook-no-nuls oe-ns-eoh > > auth default: > > passdb: > > driver: pam > > userdb: > > driver: passwd > > > > > > It seems that my mail server is being attacked by someone who tries to > retrieve users' credentials. Please read below an output of logwatch. > > > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user sandra > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user tanya > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user tanya > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user dark > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user dark > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user gibson > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user frank > > dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information > about > > user frank > > > > > > > > Besides, some of the local users receive "spam" emails, which seem to be > sent by another local user. > > > > Please assist me on how to prevent the aforementioned attack. > > > > Best Regards, > > > > Nikos > > > >-- Ken Anderson Pacific Internet - http://www.pacific.net Latest Pacific.Net Status - http://twitter.com/pacnetstatus
Seemingly Similar Threads
- unable to lock for exclusive access: Resource temporarily unavailable
- Can somebody explay the here down message lines from server Centos 5.6
- Dovecot attack
- 64.31.19.48 attempt to break into my computer
- Tangential Issue: idmap backend = ad and Active Directory 2008R2