[Dovecot] dovecot dictionary attacks
tss at iki.fi
Thu Nov 11 20:31:17 EET 2010
On 11.11.2010, at 17.57, PA wrote:
> Yes postfix is configured for SASL so the spammer ip was able to relay email
> after it obtained the account info.
Postfix supports Cyrus SASL and Dovecot SASL. You didn't specify which one..
> My concern is how the spammer got the user/pass in the 1st place since
> nowhere on the dovecot logs do I see that particular user attempting to
> login with the wrong/correct password etc. I should be able to see all login
> attempts correct if the user/pass was obtained through a dict. attack? Is
> that's the case then most likely the user/password was obtained from the
> user's PC and not guessed on the mail server. I am trying to make sense of
> what happened and to make sure im not overlooking something on dovecot.
Yes, all login attempts via Dovecot are logged, but only if you have auth_verbose=yes.
If your Postfix authentications went through Cyrus SASL, then I don't know what it logs.
More information about the dovecot