Re: [Dovecot] Under POP attack - now to prevent?

Am Freitag, den 05.06.2009, 02:26 -0400 schrieb Timo Sirainen: > On Jun 5, 2009, at 2:07 AM, henry ritzlmayr wrote: > > > Interesting for me is that you are on v1.2RC4. Timo wrote yersterday > > that with v1.2+ after every login failure the delay for the next > > attempt > > should grow. When I

Re: [Dovecot] Under POP attack - now to prevent?

On Jun 5, 2009, at 2:07 AM, henry ritzlmayr wrote: Interesting for me is that you are on v1.2RC4. Timo wrote yersterday that with v1.2+ after every login failure the delay for the next attempt should grow. When I take a look at your timestamps this is obviously not working on your system.

Re: [Dovecot] Under POP attack - now to prevent?

Am Freitag, den 05.06.2009, 12:04 +1000 schrieb James Brown: > Looks like we are under a dictionary login attack on our POP server: > > Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth > failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, > lip=192.168.1.9 Since th

Re: [Dovecot] Under POP attack - now to prevent?

James Brown wrote: Jun 5 11:48:32 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Any suggestions on how to prevent this? Using Dovecot 1.2RC4 Route that address to localhost? Works here :) There are various

[Dovecot] Under POP attack - now to prevent?

Looks like we are under a dictionary login attack on our POP server: Jun 5 11:48:20 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=85.189.169.94, lip=192.168.1.9 Jun 5 11:48:24 mail dovecot[2620]: pop3-login: Aborted login (auth failed, 1

[Dovecot] v1.2.rc5 released

http://dovecot.org/releases/1.2/rc/dovecot-1.2.rc5.tar.gz http://dovecot.org/releases/1.2/rc/dovecot-1.2.rc5.tar.gz.sig Some small fixes mainly. I guess I'll still have to release rc6 and rc7 after all. I've been a bit busy with v2.0 changes recently. BTW. I'm leaving tomorrow to San Francisco an

Re: [Dovecot] feature request - zlib compression via LDA

Timo Sirainen wrote: On Thu, 2009-06-04 at 17:05 -0500, J.P. Trosclair wrote: Timo Sirainen wrote: On Thu, 2009-06-04 at 16:52 -0500, J.P. Trosclair wrote: Any chance of getting compression support via the zlib plugin for dovecot deliver in future versions? Sure, if someone implements it. For

Re: [Dovecot] feature request - zlib compression via LDA

On Thu, 2009-06-04 at 17:05 -0500, J.P. Trosclair wrote: > Timo Sirainen wrote: > > On Thu, 2009-06-04 at 16:52 -0500, J.P. Trosclair wrote: > >> Any chance of getting compression support via the zlib plugin for > >> dovecot deliver in future versions? > > > > Sure, if someone implements it. For me

Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Thu, 2009-06-04 at 18:58 +0200, henry ritzlmayr wrote: > Am Donnerstag, den 04.06.2009, 18:27 +0200 schrieb Steve: > > > The Idea is good but I guess an option to just disconnect the attacker > > > wouldn't hurt in the config file? > > > > > Is that not the wrong approach? I mean: all you wante

Re: [Dovecot] feature request - zlib compression via LDA

Timo Sirainen wrote: On Thu, 2009-06-04 at 16:52 -0500, J.P. Trosclair wrote: Any chance of getting compression support via the zlib plugin for dovecot deliver in future versions? Sure, if someone implements it. For me it's a very low priority. Understood, was also wondering if a patch woul

Re: [Dovecot] feature request - zlib compression via LDA

On Thu, 2009-06-04 at 16:52 -0500, J.P. Trosclair wrote: > Any chance of getting compression support via the zlib plugin for > dovecot deliver in future versions? Sure, if someone implements it. For me it's a very low priority. signature.asc Description: This is a digitally signed message part

Re: [Dovecot] ldap_search() failed "Server Busy"

On Thu, 2009-06-04 at 22:23 +0200, Paul Carter-Brown wrote: > Jun 4 18:30:59 ug1s02-zone1 dovecot: [ID 107833 mail.error] > auth(default): ldap(0202934...@ug.smilecoms.com,10.31.3.13): > ldap_search() failed (filter (uid=0202934...@ug.smilecoms.com)): Server > is busy > > We are authenticating ag

Re: [Dovecot] ldap_search() failed "Server Busy"

On Thu, 2009-06-04 at 22:23 +0200, Paul Carter-Brown wrote: > We are using dovecot 1.1.11 on Solaris 10u6. Under load, we are > experiencing the following errors: > > Jun 4 18:30:59 ug1s02-zone1 dovecot: [ID 107833 mail.error] > auth(default): ldap(0202934...@ug.smilecoms.com,10.31.3.13): > ldap

[Dovecot] feature request - zlib compression via LDA

Any chance of getting compression support via the zlib plugin for dovecot deliver in future versions?

[Dovecot] ldap_search() failed "Server Busy"

Hi, We are using dovecot 1.1.11 on Solaris 10u6. Under load, we are experiencing the following errors: Jun 4 18:30:59 ug1s02-zone1 dovecot: [ID 107833 mail.error] auth(default): ldap(0202934...@ug.smilecoms.com,10.31.3.13): ldap_search() failed (filter (uid=0202934...@ug.smilecoms.com)): Server

Re: [Dovecot] Can expire-tool skip folders with "expire time in future" errors?

Timo Sirainen wrote: > > I have folders containing messages which have been moved there -- either > > by the sieve plugin or manually in Thunderbird -- days or even weeks ago. > > The messages are not removed even with an expire time of "somefolder 1". > > Were the messages moved there before expi

Re: [Dovecot] Expire-Plugin segmentation fault (Re: Can expire-tool skip folders with "expire time in future" errors?)

Timo Sirainen wrote: > Does the attached patch help? If not, increase the 1024*1024 to a larger > value. Sorry for replying so late, the server running Dovecot succumbed to a hardware problem. Now that the machine is online again, I applied your patch. Running the expire tool now causes the follo

Re: [Dovecot] Dovecot under brute force attack - nice attacker

on 6-4-2009 3:48 AM Noel Butler spake the following: > On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote: > >> Hi List, >> >> optimizing the configuration on one of our servers (which was >> hit by a brute force attack on dovecot) showed an odd behavior. >> >> Dovecot Version 1.0.7 (CentO

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Am Donnerstag, den 04.06.2009, 12:23 -0400 schrieb Timo Sirainen: > On Thu, 2009-06-04 at 18:13 +0200, henry ritzlmayr wrote: > > > > Question: > > > > Is there any way to close the connection after the > > > > first wrong user/pass combination. So an attacker would be forced > > > > to reopen it?

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Am Donnerstag, den 04.06.2009, 09:51 -0700 schrieb Mark Sapiro: > On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote: > > > > The problem: > > If the attacker wouldn't have closed and reopened the connection > > no log would have been generated and he/she would have endless > > tries

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Am Donnerstag, den 04.06.2009, 18:27 +0200 schrieb Steve: > > The Idea is good but I guess an option to just disconnect the attacker > > wouldn't hurt in the config file? > > > Is that not the wrong approach? I mean: all you wanted is to have a log entry > showing when there was a username/passwor

Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Thu, Jun 04, 2009 at 12:16:00PM +0200, henry ritzlmayr wrote: > > The problem: > If the attacker wouldn't have closed and reopened the connection > no log would have been generated and he/she would have endless > tries. Not even an iptables/hashlimit or fail2ban would have kicked in. > > How

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Timo Sirainen pisze: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK POP3 [127.0.0.1] server ready user krzys +OK User name accepted, password please pass wew -ERR Bad login / Bledne haslo lub login. Connection closed by foreign host. That's not Dovecot. Hm... ups..

Re: [Dovecot] Dovecot under brute force attack - nice attacker

> The Idea is good but I guess an option to just disconnect the attacker > wouldn't hurt in the config file? > Is that not the wrong approach? I mean: all you wanted is to have a log entry showing when there was a username/password mismatch when logging in. And you found out that with normal logg

Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Thu, 2009-06-04 at 18:13 +0200, henry ritzlmayr wrote: > > > Question: > > > Is there any way to close the connection after the > > > first wrong user/pass combination. So an attacker would be forced > > > to reopen it? > > > > I think the growing delay is a better idea. > > The Idea is good b

Re: [Dovecot] imapmagicplus equivalent?

On Thu, 2009-06-04 at 12:22 +0200, Juergen Kreileder wrote: > is anything like Cyrus IMAP's imapmagicplus option available for > Dovecot? If not, would it be possible to implement as a plugin? Yes, it would be possible to implement as a plugin. ACL plugin could be used as an example. I don't rea

[Dovecot] imapmagicplus equivalent?

Hi, is anything like Cyrus IMAP's imapmagicplus option available for Dovecot? If not, would it be possible to implement as a plugin? imapmagicplus: 0 Only list a restricted set of mailboxes via IMAP by using userid+namespace syntax as the authentication/authorization id. Using userid+ (wit

Re: [Dovecot] Dovecot under brute force attack - nice attacker

> > Question: > > Is there any way to close the connection after the > > first wrong user/pass combination. So an attacker would be forced > > to reopen it? > > I think the growing delay is a better idea. The Idea is good but I guess an option to just disconnect the attacker wouldn't hurt in the

Re: [Dovecot] deleteing label (cheating crackers)

On 06/04/2009 05:57 AM Mohsen Pahlevanzadeh wrote: > > Now i want to delete Dovecot word & put my word. > How i do? login_greeting Regards, Pascal -- The trapper recommends today: 5e1f1e55.0915...@localdomain.org

Re: [Dovecot] deleteing label (cheating crackers)

Original-Nachricht > Datum: Thu, 04 Jun 2009 08:27:05 +0430 > Von: Mohsen Pahlevanzadeh > An: dovecot@dovecot.org > Betreff: [Dovecot] deleteing label (cheating crackers) > Dear all, > When i telnet to my server, I see following things: > [r...@daka ~]# telnet 0 110 > Trying 0.

[Dovecot] deleteing label (cheating crackers)

Dear all, When i telnet to my server, I see following things: [r...@daka ~]# telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK Dovecot ready. Now i want to delete Dovecot word & put my word. How i do? Yours, Mohsen

[Dovecot] Aging Password

I use dovecot with shadow support and i have a problem with aging password, if the password is ended dovecot continue to log me in... It's possibile to disable login if the password is ended? Hi, Jacopo -- Linux, Windows Xp ed MS-DOS (anche conosciuti come il Bello, il Brutto ed il Cattivo). -- M

Re: [Dovecot] Password environment variable - logging the password

On Jun 4, 2009, at 2:47 AM, Donovan Craig wrote: Is there any way we can get access to the plain text password upon login so we can insert this into our user table? What userdb do you use? The password is in %w variable, you can export that with most userdbs.

Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Jun 4, 2009, at 6:16 AM, henry ritzlmayr wrote: The problem: If the attacker wouldn't have closed and reopened the connection no log would have been generated and he/she would have endless tries. With v1.2+ the login failure delay grows after each failed login. If I enable auth_verbose ev

Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Jun 4, 2009, at 10:01 AM, Lenthir wrote: Cédric Laruelle pisze: Reproduced on 1.1.14 too and really problematic for me Can't reproduce in 1.2rc4 :) Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK POP3 [127.0.0.1] server ready user krzys +OK User name accepted, pa

Re: [Dovecot] Some questions about deliver

Le 30 mai 09 à 00:04, I wrote : [...] I really believe that it would be worth to engrave that behavior somewhere in the docs. This could prove extremely useful to people considering to replace their existing LDA in their existing setup, by making explicit some points to take care of. As a

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Am Donnerstag, den 04.06.2009, 14:53 +0200 schrieb Cédric Laruelle: > Reproduced on 1.1.14 too and really problematic for me Curious question: Why is it so problematic for you? As stated in my original post you only have to set auth_verbose to yes to get it logged. With that you can always block

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Cédric Laruelle pisze: Reproduced on 1.1.14 too and really problematic for me Can't reproduce in 1.2rc4 :) Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK POP3 [127.0.0.1] server ready user krzys +OK User name accepted, password please pass wew -ERR Bad login / Bledne

Re: [Dovecot] Dovecot under brute force attack - nice attacker

Reproduced on 1.1.14 too and really problematic for me -Message d'origine- De : dovecot-bounces+laruellec=aiderdonner@dovecot.org [mailto:dovecot-bounces+laruellec=aiderdonner@dovecot.org] De la part de Noel Butler Envoyé : jeudi 4 juin 2009 12:48 À : henry ritzlmayr Cc : dovecot@d

Re: [Dovecot] Dovecot under brute force attack - nice attacker

On Thu, 2009-06-04 at 12:16 +0200, henry ritzlmayr wrote: > Hi List, > > optimizing the configuration on one of our servers (which was > hit by a brute force attack on dovecot) showed an odd behavior. > > Dovecot Version 1.0.7 (CentOS 5.2) > > The short story: > On one of our servers an attac

[Dovecot] Dovecot under brute force attack - nice attacker

Hi List, optimizing the configuration on one of our servers (which was hit by a brute force attack on dovecot) showed an odd behavior. Dovecot Version 1.0.7 (CentOS 5.2) The short story: On one of our servers an attacker did a brute force attack on dovecot (pop3). Since the attacker closed a

Re: [Dovecot] Maildir compression utility

Steffen Kaiser wrote: > On Fri, 29 May 2009, John Fawcett wrote: > > > Does anyone know of a script to compress old mails stored in a maildir > > format by carrying out the steps described at > > > http://wiki.dovecot.org/Plugins/Zlib > > I made this script: > http://www2.inf.fh-bonn-rhein-sieg.de/

Re: [Dovecot] Password environment variable - logging the password

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 4 Jun 2009, Donovan Craig wrote: Is there any way we can get access to the plain text password upon login so we can insert this into our user table? look at the setting: # In case of password mismatches, log the passwords and used scheme

Re: [Dovecot] Lost sub-mailboxes - not showing after upgrading to Dovecot from Courier-IMAP

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 4 Jun 2009, James Brown wrote: drwxrwxr-x 9 _vmail _postfix 306 Jun 4 09:11 .INBOX.INBOX.Sent drwxrwxr-x10 _vmail _postfix 340 Jun 4 09:11 .INBOX.INBOX.Trash drwxrwxr-x10 _vmail _postfix 340 Jun 4 09:04 .INBO