On Mon, Nov 14, 2016 at 06:39:08PM -0800, vod vos wrote: > Hi, > > > > when I read the mail.log, I found: > > > > > > Nov 14 14:45:45 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 > secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: > SSL_accept() syscall failed: Connection reset by peer, > session=<WEd2MD1B/Mdgfm8m> > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 > secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: > SSL_accept() syscall failed: Connection reset by peer, > session=<H42OMD1BZslgfm8m> > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: > error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 > secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: > SSL_accept() failed: Unknown error, session=<rQ6QMD1BxMpgfm8m> > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 > secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: > SSL_accept() failed: Unknown error, session=<3DqTMD1BKstgfm8m> > > > > Nov 14 14:45:49 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 > secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS, > session=<CCqyMD1BdMtgfm8m> > > > > Was the Dovecot working well? > > Are there any good solutions to forbid this kind of behavior to enhance the > mail server?
Do you know whether these were actual login attempts? Because these look like typical port scans that you'll see from time to time. According to this site, that's an IP that's known for port scanning: https://www.abuseipdb.com/check/96.126.111.38 I wouldn't worry too much about them. --Sean
