dovecot not listening, but doing passw checks? Was: connection refused, no error anywhere

[Marco Fioretti via dovecot]

Greetings,

I just woke up and went back to try to diagnose the problem I first
reported in my other thread, and noticed something weird. After your
suggestions, the situation is as follow:

0) FTR, postfix is working, if I open the local mailboxes with mutt running
on the server I do see email coming in as expected, from mailing lists and
our correspondents

1) output of dovecot -n is below

2) both "ss -tuln  | grep 993" and "netstat -tanp" show NO activity
/presence on port 993

3) BUT, running "service dovecot status" (see output below, I only changed
server and user name) I noticed a failed authentication attempt from
SOMEUSER2, happened ~15/20 minutes before I checked, where "SOMEUSER"
(without the trailing "2") is an ACTUAL user of the old server, and
200.89.159.59 an IP address I don't know (not my desktop's for sure, and
AFAIK no legitimate user is trying to use the server at this time, they
know I'm rebuilding it...)

Now the question is, OK, that attempt may be some attacker trying to get
in, this happens but... HOW is he succeeding to TRY to connect, if dovecot
doesn't appear to be listening at all??? And of course, does this help in
any way to figure out what is wrong with my configuration?

Thanks,
Marco

#########################################
OUTPUT of dovecot -n (actual domain name changed to example.com)

# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21 (f6cd4b8e)
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf
-Pn > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:9:
ssl_dh_parameters_length is no longer needed
# OS: Linux 6.8.0-51-generic x86_64 Ubuntu 24.04.1 LTS ext4
# Hostname: nexaima
auth_debug = yes
auth_verbose = yes
auth_verbose_passwords = plain
mail_debug = yes
mail_location = maildir:/var/mail/mymail_storage/base/
mbox_write_locks = fcntl
passdb {
  args = /etc/imap.v_users
  driver = passwd-file
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_cipher_list = ALL
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  args = /etc/imap.v_users
  driver = passwd-file
}
userdb {
  driver = passwd
}
verbose_ssl = yes

######################################################

FULL OUTPUT OF "service dovecot status":

root@example:/# service dovecot status
● dovecot.service - Dovecot IMAP/POP3 email server
     Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled;
preset: enabled)
     Active: active (running) since Tue 2025-01-21 23:41:45 UTC; 5h 24min
ago
       Docs: man:dovecot(1)
             https://doc.dovecot.org/
   Main PID: 35241 (dovecot)
     Status: "v2.3.21 (47349e2482) running"
      Tasks: 5 (limit: 4543)
     Memory: 3.6M (peak: 5.5M)
        CPU: 503ms
     CGroup: /system.slice/dovecot.service
             ├─35241 /usr/sbin/dovecot -F
             ├─35242 dovecot/anvil
             ├─35243 dovecot/log
             ├─35246 dovecot/config
             └─35323 dovecot/stats

Jan 22 04:49:06 example dovecot[35243]: auth-worker(37492): Debug: conn
unix:auth-worker (pid=37491,uid=111): auth-worker<2>:
pam(SOMEUSER2,200.89.159.59): #1/1 style=1 >
Jan 22 04:49:06 example auth[37492]: pam_unix(dovecot:auth): check pass;
user unknown
Jan 22 04:49:06 example auth[37492]: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=SOMEUSER2
rhost=200.89.159.59
Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): conn
unix:auth-worker (pid=37491,uid=111): auth-worker<2>:
pam(SOMEUSER2,200.89.159.59): pam_authenticate() f>
Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): Debug: conn
unix:auth-worker (pid=37491,uid=111): auth-worker<2>:
pam(SOMEUSER2,200.89.159.59): Finished pass>
Jan 22 04:49:08 example dovecot[35243]: auth-worker(37492): Debug: conn
unix:auth-worker (pid=37491,uid=111): auth-worker<2>: Finished:
password_mismatch
Jan 22 04:49:08 example dovecot[35243]: auth: Debug:
pam(SOMEUSER2,200.89.159.59): Finished passdb lookup
Jan 22 04:49:08 example dovecot[35243]: auth: Debug:
auth(SOMEUSER2,200.89.159.59): Auth request finished
Jan 22 04:49:10 example dovecot[35243]: auth: Debug: client passdb out:
FAIL        2        user=SOMEUSER2
Jan 22 04:50:06 example dovecot[35243]: auth-worker(37492): Debug: conn
unix:auth-worker (pid=37491,uid=111): Disconnected: Connection closed
(fd=-1)
lines 1-27/27 (END)
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org