dovecot - Jul 2015 - Deafness

> On Jul 28, 2015, at 21:52 , Steffan Cline <steffan at hldns.com>
wrote:
> 
> Ok, I think I have come a little further.
> 
> When dovecot stops accepting connections, I checked netstat and found this:
> 
> [root at hosting1 ~]#  netstat -an | grep 993
> tcp        0      0 0.0.0.0:993                 0.0.0.0:*                  
LISTEN
> tcp        0      0 65.39.x.x:993            184.101.x.x:36351       
SYN_RECV
> tcp        0      0 65.39.x.x:993            107.212.x.x:51487       
SYN_RECV
> tcp        0      0 65.39.x.x:993            107.212.x.x:51488       
SYN_RECV
> tcp        0      0 65.39.x.x:993            184.101.x.x:44650       
SYN_RECV
> 
> This told me it wasn?t too many connections causing dovecot to be
unresponsive. So then I tried via telnet.
> 
> Dovecot seems to accept connections but then just sits there and does
nothing. I used the appropriate commands to try and initiate a login but nothing
happens. Typing any commands at all produce no response from dovecot.
  Actually, I think the above shows that it?s not a dovecot problem.  A socket
in a SYN_RECV state means that a connection request has been merely been
received from the network.  That means your kernel has not finished establishing
the TCP connection, so dovecot (or the application level in general) is likely
not even involved yet.  I would suspect some sort of firewall config on your
host, or perhaps some sort of overload at the network stack level.  But, the
latter only if the server were very heavily loaded.

  I hope this feedback is helpful.

                                          - Chris

hi ya

On Tue, Jul 28, 2015 at 11:35:31PM -0400, Chris Ross
wrote:
> 
> > On Jul 28, 2015, at 21:52 , Steffan Cline <steffan at hldns.com>
wrote:
> > 
> > Ok, I think I have come a little further.
> > 
> > When dovecot stops accepting connections, I checked netstat and found
this:
> > 
> > [root at hosting1 ~]#  netstat -an | grep 993
> > tcp        0      0 0.0.0.0:993                 0.0.0.0:*             
LISTEN
> > tcp        0      0 65.39.x.x:993            184.101.x.x:36351       
SYN_RECV
> > tcp        0      0 65.39.x.x:993            107.212.x.x:51487       
SYN_RECV
> > tcp        0      0 65.39.x.x:993            107.212.x.x:51488       
SYN_RECV
> > tcp        0      0 65.39.x.x:993            184.101.x.x:44650       
SYN_RECV
are you sure thee are legitimate incoming imaps connections from those
107.212.x.x IP# address ??

they could just be probing your server for vulnerability before attacking
what ports are used or not ... etc etc..

the fact that doveocot replies to telnet localhost 993 is a good thing,
that imaps "should work" ...

you can also go one step further and check the certs belong to you:
	outsidePC# openssl s_client -connect imaps.your-domain.com:993

if it is your own real connnections attempts from your customers/employee,
you might have a problem, that requires more info ...

if you do NOT receognized those IP#, don't worry, except that you do need
to add imaps and pop3s into /etc/hosts.allow to allow legit connectons
and all other script kiddies should be dropped.  similarly, your firewall
should be configured to tarpit un-authorized new tcp connections to port 993
> > This told me it wasn???t too many connections causing dovecot to be
unresponsive. So then I tried via telnet.
> > 
> > Dovecot seems to accept connections but then just sits there and does
nothing. I used the appropriate commands to try and initiate a login but nothing
happens. Typing any commands at all produce no response from dovecot.
> 
>   Actually, I think the above shows that it???s not a dovecot problem.  A
socket in a SYN_RECV state means that a connection request has been merely been
received from the network.  That means your kernel has not finished establishing
the TCP connection, so dovecot (or the application level in general) is likely
not even involved yet.  I would suspect some sort of firewall config on your
host, or perhaps some sort of overload at the network stack level.  But, the
latter only if the server were very heavily loaded.
ditto
>   I hope this feedback is helpful.
pixie dust
alvin
- http://NetworkNightmare.net/OpenSSL

On Wed, 29 Jul 2015 08:12:26 -0700
alvin <alvin.sm at Mail.Linux-Consulting.com> wrote:
> 
> hi ya
> 
> On Tue, Jul 28, 2015 at 11:35:31PM -0400, Chris Ross wrote:
> > 
> > > On Jul 28, 2015, at 21:52 , Steffan Cline <steffan at
hldns.com>
> > > wrote:
> > > 
> > > Ok, I think I have come a little further.
> > > 
> > > When dovecot stops accepting connections, I checked netstat and
> > > found this:
> > > 
> > > [root at hosting1 ~]#  netstat -an | grep 993
> > > tcp        0      0 0.0.0.0:993
> > > 0.0.0.0:*                   LISTEN tcp        0      0
> > > 65.39.x.x:993            184.101.x.x:36351        SYN_RECV
> > > tcp        0      0 65.39.x.x:993
> > > 107.212.x.x:51487        SYN_RECV tcp        0      0
> > > 65.39.x.x:993            107.212.x.x:51488        SYN_RECV
> > > tcp        0      0 65.39.x.x:993
> > > 184.101.x.x:44650        SYN_RECV    
Are all the users with problems behind NAT e.g?

https://www.youtube.com/watch?v=gfYYggNkM20

-- 
          openSUSE - SUSE Linux is my linux
              openSUSE is good for you
                  www.opensuse.org