[Dovecot] dovecot dictionary attacks

Timo Sirainen tss at iki.fi
Thu Nov 11 20:31:17 EET 2010

On 11.11.2010, at 17.57, PA wrote:

> Yes postfix is configured for SASL so the spammer ip was able to relay email
> after it obtained the account info. 

Postfix supports Cyrus SASL and Dovecot SASL. You didn't specify which one..

> My concern is how the spammer got the user/pass in the 1st place since
> nowhere on the dovecot logs do I see that particular user attempting to
> login with the wrong/correct password etc. I should be able to see all login
> attempts correct if the user/pass was obtained through a dict. attack? Is
> that's the case then most likely the user/password was obtained from the
> user's PC and not guessed on the mail server. I am trying to make sense of
> what happened and to make sure im not overlooking something on dovecot. 

Yes, all login attempts via Dovecot are logged, but only if you have auth_verbose=yes.

If your Postfix authentications went through Cyrus SASL, then I don't know what it logs.

More information about the dovecot mailing list