Difference between revisions of "Dovecot"

From Fail2ban
Jump to: navigation, search
(specified IP for logs - previous one was anonomized too)
(Added reference to Dovecot wiki page for Fail2Ban)
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Dovecot is a POP3/IMAP server that can also provide authentication for SMTP and other SASL services.
+
Dovecot is a POP3/IMAP server that can also provide authentication for SMTP and other SASL services. See also the [http://wiki.dovecot.org/HowTo/Fail2Ban Fail2Ban page on the Dovecot wiki].
  
 
{{Logging_Outputs}}
 
{{Logging_Outputs}}
Line 5: Line 5:
 
Dovecot-1.0.0 with pam. Other authentication mechanism probably produce different output.
 
Dovecot-1.0.0 with pam. Other authentication mechanism probably produce different output.
  
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
 
 
* Jan 11 03:42:09 email dovecot: auth(default): pam(support@example.org,192.0.2.2): pam_authenticate() failed: User not known to the underlying authentication module
 
* Jan 11 03:42:09 email dovecot: auth(default): pam(support@example.org,192.0.2.2): pam_authenticate() failed: User not known to the underlying authentication module
 
* Jan 26 22:31:37 email dovecot: auth(default): pam(dan,192.0.2.2): pam_authenticate() failed: Authentication failure
 
* Jan 26 22:31:37 email dovecot: auth(default): pam(dan,192.0.2.2): pam_authenticate() failed: Authentication failure
<div>
+
 
 +
Dovecot-1.0.15 with sql, and "auth_verbose = yes":
 +
 
 +
* Jan 11 03:42:09 email dovecot: auth-worker(default): sql(janfrode@tanso.net,192.168.11.16): Password mismatch
 +
* Jan 11 03:45:09 email dovecot: auth-worker(default): sql(someoneelse,192.168.11.16): unknown user
 +
 
 +
With successfull logins, it doesn't print anything from "auth-worker".
 +
 
 +
Dovecot-1.2.13, without pam (slackware), with TLS :
 +
* Jul 31 13:53:08 email dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<someone>, method=PLAIN, rip=192.168.0.2, lip=192.168.0.1, TLS
 +
* Jul 31 13:54:35 email dovecot: imap-login: Disconnected (tried to use unsupported auth mechanism): user=<someone>, method=LOGIN, rip=192.168.2.2, lip=192.168.2.1, TLS: Disconnected
 +
 
 +
(rip is the IP address of the client, lip is the IP address of the server)
 +
Same results with "auth_verbose = yes".
  
  
Line 15: Line 27:
  
 
<pre>
 
<pre>
failregex =  
+
failregex = dovecot.*auth\(default\): pam\(.*,<HOST>\): pam_authenticate\(\) failed:
 
</pre>
 
</pre>
  
 
[[Category:MailServices]]
 
[[Category:MailServices]]

Latest revision as of 14:09, 29 August 2010

Dovecot is a POP3/IMAP server that can also provide authentication for SMTP and other SASL services. See also the Fail2Ban page on the Dovecot wiki.


Dovecot-1.0.0 with pam. Other authentication mechanism probably produce different output.

  • Jan 11 03:42:09 email dovecot: auth(default): pam(support@example.org,192.0.2.2): pam_authenticate() failed: User not known to the underlying authentication module
  • Jan 26 22:31:37 email dovecot: auth(default): pam(dan,192.0.2.2): pam_authenticate() failed: Authentication failure

Dovecot-1.0.15 with sql, and "auth_verbose = yes":

  • Jan 11 03:42:09 email dovecot: auth-worker(default): sql(janfrode@tanso.net,192.168.11.16): Password mismatch
  • Jan 11 03:45:09 email dovecot: auth-worker(default): sql(someoneelse,192.168.11.16): unknown user

With successfull logins, it doesn't print anything from "auth-worker".

Dovecot-1.2.13, without pam (slackware), with TLS :

  • Jul 31 13:53:08 email dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<someone>, method=PLAIN, rip=192.168.0.2, lip=192.168.0.1, TLS
  • Jul 31 13:54:35 email dovecot: imap-login: Disconnected (tried to use unsupported auth mechanism): user=<someone>, method=LOGIN, rip=192.168.2.2, lip=192.168.2.1, TLS: Disconnected

(rip is the IP address of the client, lip is the IP address of the server) Same results with "auth_verbose = yes".


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.


failregex = dovecot.*auth\(default\): pam\(.*,<HOST>\): pam_authenticate\(\) failed: