On 2017-06-23 15:09, Marcus Rueckert wrote:> On Fri, 23 Jun 2017 11:38:28 -0700 > Daniel Miller <dmiller at amfes.com> wrote: > >> While auditing my logs after an account was compromised, I see a >> number of entries like: >> >> Jun 23 11:32:18 bubba dovecot: auth: >> ldap("one-of-my-accounts",127.0.0.1): invalid credentials > > webmail?I thought that as well - because I do have a webmail service - but that's on a separate virtual server (admittedly, running on this host). So that shouldn't give me a localhost IP. I also don't see anything in the webmail logs corresponding to the dovecot logs. --- Daniel
Am 26.06.17 schrieb Daniel Miller:> On 2017-06-23 15:09, Marcus Rueckert wrote: >> On Fri, 23 Jun 2017 11:38:28 -0700 >> Daniel Miller <dmiller at amfes.com> wrote: >> >>> While auditing my logs after an account was compromised, I see a >>> number of entries like: >>> >>> Jun 23 11:32:18 bubba dovecot: auth: >>> ldap("one-of-my-accounts",127.0.0.1): invalid credentials >> >> webmail?Nagios or someone else monitoring dovecot? Fabian.
On 6/27/2017 12:42 AM, Fabian Schmidt wrote:> > Am 26.06.17 schrieb Daniel Miller: > >> On 2017-06-23 15:09, Marcus Rueckert wrote: >>> On Fri, 23 Jun 2017 11:38:28 -0700 >>> Daniel Miller <dmiller at amfes.com> wrote: >>> >>>> While auditing my logs after an account was compromised, I see a >>>> number of entries like: >>>> >>>> Jun 23 11:32:18 bubba dovecot: auth: >>>> ldap("one-of-my-accounts",127.0.0.1): invalid credentials >>> >>> webmail? > > Nagios or someone else monitoring dovecot? >Not running such - and they wouldn't be hitting multiple accounts. Daniel
On 6/27/2017 1:33 AM, Daniel Miller wrote:> On 6/27/2017 12:42 AM, Fabian Schmidt wrote: >> >> Am 26.06.17 schrieb Daniel Miller: >> >>> On 2017-06-23 15:09, Marcus Rueckert wrote: >>>> On Fri, 23 Jun 2017 11:38:28 -0700 >>>> Daniel Miller <dmiller at amfes.com> wrote: >>>> >>>>> While auditing my logs after an account was compromised, I see a >>>>> number of entries like: >>>>> >>>>> Jun 23 11:32:18 bubba dovecot: auth: >>>>> ldap("one-of-my-accounts",127.0.0.1): invalid credentials >>>> >>>> webmail? >> >> Nagios or someone else monitoring dovecot? >> > Not running such - and they wouldn't be hitting multiple accounts. >Now I'm more confused. I changed Dovecot to listen only on a specific IP address - and I still see localhost log lines: Jun 27 12:03:27 bubba dovecot: auth: ldap(SomeUser at MyDomain.com,127.0.0.1): invalid credentials The only other thing I can think of - Postfix runs on this server and uses Dovecot SASL. Is it possible the Dovecot auth log line is caused by a Postfix connection attempt? Daniel