[Dovecot] Auth message
Timo Sirainen
tss at iki.fi
Tue Aug 12 21:18:02 EEST 2008
On Aug 8, 2008, at 2:01 AM, Pavel Shirov wrote:
> Recently my network was scanned. Various services was scanned, and
> checking
> the logs of mail server the following string draw my attention:
> mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>,
> method=PLAIN,
> rip=87.228.15.180, lip=x.x.x.x
>
> This looks weird to me, because pop3-login: Disconnected looks like
> succesful login attempt to me.
It's prefixed with "pop3-login", so it was the pre-login process that
disconnected the client. The user couldn't have logged in.
> Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done:
rc15 is pretty old. The logging messages (and a lot of other stuff)
have improved since then.
> password_query = SELECT password FROM mailbox WHERE active = '1' AND
> (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u')
> user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid,
> domain FROM
> mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR
> username =
> '%u'
Dovecot escapes all the usernames, and actually unless you've changed
auth_username_chars it doesn't even let any weird characters near the
SQL queries.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080812/898bf9a6/attachment.bin
More information about the dovecot
mailing list