Timo, Yes postfix is configured for SASL so the spammer ip was able to relay email after it obtained the account info. My concern is how the spammer got the user/pass in the 1st place since nowhere on the dovecot logs do I see that particular user attempting to login with the wrong/correct password etc. I should be able to see all login attempts correct if the user/pass was obtained through a dict. attack? Is that's the case then most likely the user/password was obtained from the user's PC and not guessed on the mail server. I am trying to make sense of what happened and to make sure im not overlooking something on dovecot.
-----Original Message----- From: Timo Sirainen [mailto:t...@iki.fi] Sent: Wednesday, November 10, 2010 8:22 PM To: PA Cc: dovecot@dovecot.org Subject: Re: [Dovecot] dovecot dictionary attacks On 10.11.2010, at 23.03, PA wrote: > However on my smtp mail server that ip is already sending out all sorts of > spam with the sasl username of Paramus. This username Paramus never shows up > on the dovevot dictionary attack, as a matter of fact the user Paramus is > nowhere to be found on the dovecot log at all and I have logs going back > months. > > I'm just not sure how they guess the username/password as its not on any > logs that goes back months and I don't have a dovecot record for that user. Well, probably obvious, but since you didn't explicitly say: You have configured Postfix to use Dovecot for authentication, not Cyrus SASL, right?..
