Tag Archives: dovecot

Email Server Attack

Type: Brute Force
Protocol: POP3
OS: Linux 3.6.11+ armv6l
Platform: Pi Rev. B
Memory: 512M
Daemon: Dovecot 2.1.7-7
Backend Daemon: MySQL 5.5
Backend OS: Linux 2.6.32-5-amd64
Backend Platform: Generic AMD A4-3400 APU Dual Core
Backend Memory: 3.5G
Total Attempts: 13356
Avg. Attempt/s: 2.71

Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.

Further Information:
Fail2ban did not detect the attack, research ongoing.
Fail2ban's ability to check logging may have been overwhelmed.
All logging is done remotely, no local logging occurs.
The RPI handled the traffic/load well, never swapped.

Log Excerpt:

Feb 22 18:14:05 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:12 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:24 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:26 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:27 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:28 hcpi004 dovecot: auth-worker(8400): sql(spam,67.136.48.186): unknown user
Feb 22 18:14:40 hcpi004 dovecot: auth-worker(8400): sql(administrator,67.136.48.186): unknown user
Feb 22 18:14:43 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user

*SNIP*

Feb 22 19:35:23 hcpi004 dovecot: auth-worker(25283): sql(bridgette,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(danielle,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(coach,67.136.48.186): unknown user
Feb 22 19:36:39 hcpi004 dovecot: auth-worker(26746): sql(chuck,67.136.48.186): unknown user
Feb 22 19:36:43 hcpi004 dovecot: auth-worker(26746): sql(bryson,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(denise,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(dev,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(bridget,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dominic,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dakota,67.136.48.186): unknown user

Email Cleanup

Our email server directories will be cleaned out February 28th.

What this means…

All ham and spam folders will be completely wiped cleaned.
If you have email in either folder on your account, move it to your inbox or create a new folder to store it.

Thanks.
The Administration

Building a MySQL Capable Postfix RPM

Build Environment:
CentOS 5 x86_64
Postfix 2.3.3 Sources
gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)

2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

# Get the src
1) wget http://mirror.centos.org/centos/5.3/centosplus/SRPMS/postfix-2.3.3-2.1.centos.mysql_pgsql.src.rpm

# Install the src RPM
2) rpm -i postfix-2.3.3-2.1.centos.mysql_pgsql.src.rpm

# Install some dependencies I didn’t have
3.1) yum install pcre-devel
3.2) yum install rpm-build
3.3) yum install mysql-devel.x86_64 openldap-devel.x86_64 db4-devel.x86_64
3.4) yum install gcc.x86_64

# Edit SPECS; remove postgres support
4.1) cd /usr/src/redhat/SPECS
4.2) vi postfix.spec and change “%%define PGSQL 1” to “%define PGSQL 0”
# I didn’t want Postgres support
4.3) “%define MYSQL 1” was already defined for me

# Build the new rpm
5) rpmbuild -ba postfix.spec # Ignore warnings

# Install the new rpm
6.1) cd /usr/src/redhat/RPMS
6.2) rpm -i postfix-2.3.3-2.1.centos.mysql_pgsql.x86_64.rpm

Building an RPM build environment: CentOS Wiki