dovecot logs this, and these are no ‘attacks’ or ‘bots’. Something amiss with config.
Also, try doing dovecot admin stuff, like;
# doveadm force-resync -A '*'
or
# doveadm expunge -A mailbox Junk savedbefore 600d
# doveadm expunge -A mailbox Trash savedbefore 660d
All doveadm commands fail…
Yes:
/etc/exim4/domain/shouldbedomain.com/passwd
It is mainly caused by:
2023-02-14 13:06:30 dovecot_login authenticator failed for ([45.66.230.154]) [45.66.230.154]: 535 Incorrect authentication data (set_id=team)
See
Ah, my apologies! Interesting, I never saw this on any of my other servers. Must be an exim thing. First time I’m with exim…
It is mainly caused the the “bot” login attempt
I wonder if it can be stopped would be nice if we can write a script that block requests without a domain
I’ve put a regex rule in CSF/LFD at /usr/local/csf/bin/regex.custom.pm;
# 535 Incorrect authentication data
# 8 tries; 2 day ban [customize]
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*dovecot_.*authenticator failed for.*\[(\S+)\]:\d+:\s+535 Incorrect authentication data .*/)) {
return ("Authenticator failed: 535 Incorrect authentication data from",$1,"dovecot_authenticator_failed","8","","172809");
}
where CUSTOM1_LOG = “/var/log/exim4/rejectlog” in /etc/csf/csf.conf
Something similar could also be accomplished with fail2ban, but I prefer CSF/LFD because I use its lists on several machines and they work together by sharing their bans etc.
Perhaps an idea to lift the “This topic will close a month after the last reply.” thing here. It’s really strange, for old usenet guys like me it was quite common to respond to threads that are years old… These topics keep being started, because I could not add to the previous ones…
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.