Difference between revisions of "Dovecot"

From Fail2ban
Jump to: navigation, search
m (DovecotIMAP moved to Dovecot: dovecot imap/pop/sasl stuff is all centrally controlled by an authentication daemon so it doesn't make much sense (yet) to separate it.)
(Added reference to Dovecot wiki page for Fail2Ban)
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Dovecot is a POP3/IMAP server that can also provide authentication for SMTP and other SASL services.
+
Dovecot is a POP3/IMAP server that can also provide authentication for SMTP and other SASL services. See also the [http://wiki.dovecot.org/HowTo/Fail2Ban Fail2Ban page on the Dovecot wiki].
  
 
{{Logging_Outputs}}
 
{{Logging_Outputs}}
  
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
+
Dovecot-1.0.0 with pam. Other authentication mechanism probably produce different output.
Jan 11 03:42:09 email dovecot: auth(default): pam(support@example.org,213.33.10.200): pam_authenticate() failed: User not known to the underlying authentication module
+
 
Jan 26 22:31:37 email dovecot: auth(default): pam(dan,213.33.10.200): pam_authenticate() failed: Authentication failure
+
* Jan 11 03:42:09 email dovecot: auth(default): pam(support@example.org,192.0.2.2): pam_authenticate() failed: User not known to the underlying authentication module
<div>
+
* Jan 26 22:31:37 email dovecot: auth(default): pam(dan,192.0.2.2): pam_authenticate() failed: Authentication failure
 +
 
 +
Dovecot-1.0.15 with sql, and "auth_verbose = yes":
 +
 
 +
* Jan 11 03:42:09 email dovecot: auth-worker(default): sql(janfrode@tanso.net,192.168.11.16): Password mismatch
 +
* Jan 11 03:45:09 email dovecot: auth-worker(default): sql(someoneelse,192.168.11.16): unknown user
 +
 
 +
With successfull logins, it doesn't print anything from "auth-worker".
 +
 
 +
Dovecot-1.2.13, without pam (slackware), with TLS :
 +
* Jul 31 13:53:08 email dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<someone>, method=PLAIN, rip=192.168.0.2, lip=192.168.0.1, TLS
 +
* Jul 31 13:54:35 email dovecot: imap-login: Disconnected (tried to use unsupported auth mechanism): user=<someone>, method=LOGIN, rip=192.168.2.2, lip=192.168.2.1, TLS: Disconnected
 +
 
 +
(rip is the IP address of the client, lip is the IP address of the server)
 +
Same results with "auth_verbose = yes".
  
  
Line 13: Line 27:
  
 
<pre>
 
<pre>
failregex =  
+
failregex = dovecot.*auth\(default\): pam\(.*,<HOST>\): pam_authenticate\(\) failed:
 
</pre>
 
</pre>
  
 
[[Category:MailServices]]
 
[[Category:MailServices]]

Latest revision as of 14:09, 29 August 2010

Dovecot is a POP3/IMAP server that can also provide authentication for SMTP and other SASL services. See also the Fail2Ban page on the Dovecot wiki.


Dovecot-1.0.0 with pam. Other authentication mechanism probably produce different output.

  • Jan 11 03:42:09 email dovecot: auth(default): pam(support@example.org,192.0.2.2): pam_authenticate() failed: User not known to the underlying authentication module
  • Jan 26 22:31:37 email dovecot: auth(default): pam(dan,192.0.2.2): pam_authenticate() failed: Authentication failure

Dovecot-1.0.15 with sql, and "auth_verbose = yes":

  • Jan 11 03:42:09 email dovecot: auth-worker(default): sql(janfrode@tanso.net,192.168.11.16): Password mismatch
  • Jan 11 03:45:09 email dovecot: auth-worker(default): sql(someoneelse,192.168.11.16): unknown user

With successfull logins, it doesn't print anything from "auth-worker".

Dovecot-1.2.13, without pam (slackware), with TLS :

  • Jul 31 13:53:08 email dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<someone>, method=PLAIN, rip=192.168.0.2, lip=192.168.0.1, TLS
  • Jul 31 13:54:35 email dovecot: imap-login: Disconnected (tried to use unsupported auth mechanism): user=<someone>, method=LOGIN, rip=192.168.2.2, lip=192.168.2.1, TLS: Disconnected

(rip is the IP address of the client, lip is the IP address of the server) Same results with "auth_verbose = yes".


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.


failregex = dovecot.*auth\(default\): pam\(.*,<HOST>\): pam_authenticate\(\) failed: