While auditing my logs after an account was compromised, I see a number
of entries like:
Jun 23 11:32:18 bubba dovecot: auth:
ldap("one-of-my-accounts",127.0.0.1): invalid credentials
I'm trying to figure out where this login attempt is coming from. I do
run ASSP (an SMTP proxy) on this server, as well as Postfix - but I
wouldn't think there'd be any communication with Dovecot for those?
Postfix does use Dovecot SASL - but I see separate log entries for
Postfix authentication failures.
There are of course plenty of external IP's listed in Dovecot logs - I'm
just asking for possible causes for the localhost entries.
--
Daniel
On Fri, 23 Jun 2017 11:38:28 -0700 Daniel Miller <dmiller at amfes.com> wrote:> While auditing my logs after an account was compromised, I see a > number of entries like: > > Jun 23 11:32:18 bubba dovecot: auth: > ldap("one-of-my-accounts",127.0.0.1): invalid credentialswebmail? -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
On 2017-06-23 15:09, Marcus Rueckert wrote:> On Fri, 23 Jun 2017 11:38:28 -0700 > Daniel Miller <dmiller at amfes.com> wrote: > >> While auditing my logs after an account was compromised, I see a >> number of entries like: >> >> Jun 23 11:32:18 bubba dovecot: auth: >> ldap("one-of-my-accounts",127.0.0.1): invalid credentials > > webmail?I thought that as well - because I do have a webmail service - but that's on a separate virtual server (admittedly, running on this host). So that shouldn't give me a localhost IP. I also don't see anything in the webmail logs corresponding to the dovecot logs. --- Daniel