[Dovecot] Possible erroneous "aborted login attempts"
jerralegayle at sheltoncomputers.com
Mon Aug 30 06:02:26 EEST 2010
Aug 29 22:51:27 server1 dovecot: imap-login: Aborted login (no auth
attempts): rip=(obfuscated), lip=18.104.22.168, TLS
Aug 29 22:51:27 server1 dovecot: imap-login: Login: user=...........
before most every successful login, the same second of time, dovecot has
the above message.
This is not a huge problem but our firewall is looking for aborted login
attempts, for imap/pop3 (relevant to dovecot) dos attempts and, if many
people start having problems of their packets being dropped, we will
have to stop looking for the statement or lower security slightly, more
attempts over a period of time before filtering.
However, thanks to your idle feature, there is less of these messages;
so, I don't think we will have a problem. The only client that doesn't
have a problem is our php webmail but we don't look in dovecot's log for
failed attempts from here; as, it is from the same ip, to dovecot from
php, constantly without reference to the user. This has been happening
since 1.2.11 with us. We don't use any imap relay but was looking into
imapproxy for cacheing speed and preventing advanced ddos attempts,
those from users with access.
SC Senior Admin
More information about the dovecot