My Dovecot issues continue. Right now I see at least two issues: first, my logs consistently show non-users trying (and failing) to log in, and I'm still unable to log in from my email client (Evolution or Roundcube, either one). I'll post about the second issue later; right now I wonder why I'm getting so many non-users trying to log in. Am I the subject of concerted hacking attacks, or is there something else going on? Some of the attempted logins are more-or-less random names claiming to be @mydomain, but at least one is a username that's really on my server, to wit: Jan 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server: conn unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com: Failed to lookup user www-data at mydomain.com: Internal error occurred. Refer to server log for more information. (Another quick question: which server log should I check?) So, if anyone can tell me what's going on with all these logins, I'd be much obliged! Ken
On 1/7/22 11:24 PM, Ken Wright wrote:> My Dovecot issues continue. Right now I see at least two issues: > first, my logs consistently show non-users trying (and failing) to log > in, and I'm still unable to log in from my email client (Evolution or > Roundcube, either one). > > I'll post about the second issue later; right now I wonder why I'm > getting so many non-users trying to log in. Am I the subject of > concerted hacking attacks, or is there something else going on? Some > of the attempted logins are more-or-less random names claiming to be > @mydomain, but at least one is a username that's really on my server, > to wit: > > Jan 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server: conn > unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com: Failed to > lookup user www-data at mydomain.com: Internal error occurred. Refer to > server log for more information. > > (Another quick question: which server log should I check?) > > So, if anyone can tell me what's going on with all these logins, I'd be > much obliged!I see them all the time on the mail servers I run. Typical kids trying to mess with other peoples' stuff. I run fail2ban to catch those log entries and block the source IP address for a month on the first failed login. At any one time I have between 12,000 and 15,000 addresses in my blocked list for IMAP. -Dave -- Dave McGuire, AK4HZ New Kensington, PA
Ken, Both of my production servers see the exact same problem. What was worse I was seeing around 100K failed attempts to login to my root user. A bit of research and now my firewall ignores any attempt from PRC. Sort of a cost of doing business Steve Hanselman Sent from my iPad> On Jan 7, 2022, at 20:24, Ken Wright <daddywarlock at gmail.com> wrote: > > ?My Dovecot issues continue. Right now I see at least two issues: > first, my logs consistently show non-users trying (and failing) to log > in, and I'm still unable to log in from my email client (Evolution or > Roundcube, either one). > > I'll post about the second issue later; right now I wonder why I'm > getting so many non-users trying to log in. Am I the subject of > concerted hacking attacks, or is there something else going on? Some > of the attempted logins are more-or-less random names claiming to be > @mydomain, but at least one is a username that's really on my server, > to wit: > > Jan 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server: conn > unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com: Failed to > lookup user www-data at mydomain.com: Internal error occurred. Refer to > server log for more information. > > (Another quick question: which server log should I check?) > > So, if anyone can tell me what's going on with all these logins, I'd be > much obliged! > > > Ken >
On Fri, 7 Jan 2022, Ken Wright wrote: [...]> I'll post about the second issue later; right now I wonder why I'm > getting so many non-users trying to log in. Am I the subject of > concerted hacking attacks, or is there something else going on? Some > of the attempted logins are more-or-less random names claiming to be > @mydomain, but at least one is a username that's really on my server, > to wit: > > Jan 7 22:52:01 grace dovecot: lmtp(776281): Error: lmtp-server: conn > unix:pid=776262,uid=117 [3]: rcpt www-data at mydomain.com: Failed to > lookup user www-data at mydomain.com: Internal error occurred. Refer to > server log for more information. > > (Another quick question: which server log should I check?) > > So, if anyone can tell me what's going on with all these logins, I'd be > much obliged!Further to what others have replied, I find it odd that invalid e-mail addresses (in your case, www-data at mydomain.com) manage their way to your LMTP server (dovecot). Normally, your MTA (postfix, I presume) should reject e-mails to invalid addresses (i.e. not existing in your system -> dovecot), so that only e-mails to existing addresses reach LMTP at all. So you should check your postfix configuration, and in particular virtual_mailbox_maps, etc. Cheers.