On Aug 8, 2008, at 2:01 AM, Pavel Shirov wrote:
Recently my network was scanned. Various services was scanned, and checkingthe logs of mail server the following string draw my attention:mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>, method=PLAIN,rip=87.228.15.180, lip=x.x.x.xThis looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me.
It's prefixed with "pop3-login", so it was the pre-login process that disconnected the client. The user couldn't have logged in.
Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done:
rc15 is pretty old. The logging messages (and a lot of other stuff) have improved since then.
password_query = SELECT password FROM mailbox WHERE active = '1' AND (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u')user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, domain FROM mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR username ='%u'
Dovecot escapes all the usernames, and actually unless you've changed auth_username_chars it doesn't even let any weird characters near the SQL queries.
PGP.sig
Description: This is a digitally signed message part
