[Dovecot] Attacking Dovecot

Nikos Papadopoulos npap at ecs.com.gr
Sat Sep 10 00:45:26 EEST 2011


Hello,

 

I am using Dovecot ver.1.0.7 on an x86 server with RedHat Linux Enterprise 5
and the following configuration:

 

# 1.0.7: /etc/dovecot.conf

protocols: pop3

login_dir: /var/run/dovecot/login

login_executable: /usr/libexec/dovecot/pop3-login

mail_location: mbox:~/mail:INBOX=/var/mail/%u

mail_executable: /usr/libexec/dovecot/pop3

mail_plugin_dir: /usr/lib/dovecot/pop3

pop3_client_workarounds: outlook-no-nuls oe-ns-eoh

auth default:

  passdb:

    driver: pam

  userdb:

    driver: passwd

 

 

It seems that my mail server is being attacked by someone who tries to
retrieve users' credentials. Please read below an output of logwatch.

 

dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user sandra

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user tanya

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user tanya

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user dark

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user dark

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user gibson

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user frank

 dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information
about

user frank

 

 

 

Besides, some of the local users receive "spam" emails, which seem to be
sent by another local user.

 

Please assist me on how to prevent the aforementioned attack.

 

Best Regards,

 

Nikos

 



More information about the dovecot mailing list