Hi
I have a script that checks the logs each day and mails me invalid user attempts
and authentication failures for the previous day. (I use fail2ban to ban
multiple attempts in a short space of time).
For some reason, this appears every day:
Oct 11 06:25:12 mail dovecot: auth-worker(default): sql(simon at
mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:25:19 mail dovecot: auth-worker(default): sql(simon at
mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:25:31 mail dovecot: auth-worker(default): sql(simon at
mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:25:48 mail dovecot: auth-worker(default): sql(simon at
mydomain.net,127.0.0.1): Password mismatch
Oct 11 06:26:10 mail dovecot: imap-login: Aborted login (auth failed, 4
attempts): user=<simon at mydomain.net>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured
Of all the accounts on the box, it's only mine that throws this up. Since
its LIP is localhost, it could really only be for webmail - but I don't
always leave the webmail open, so I'm curious to know how this gets there
and what it is.
Any suggestions? I find it difficult to believe I have an IMAP process in a
script somewhere (especially with my user account - the postmaster account, I
could believe, but not with my personal one)..
The log time is UTC, so watching the process list at 2.24 is less than
appealing!
Simon