Imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs) |

I have noticed in my tail -f /var/log/mail.log

that someone is attempting to log via imap to my MIAB server with login credential that I host somewhere else myotherdomain.co.uk instead of myotherdomain.uk :slight_smile:

imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=name@myotherdomain.co.uk, method=PLAIN, rip=5.188.11.11, lip=xxx.xxx.xxx.xxx, TLS, session=<cAUMhbNc/wAFvAsL>

So I am curios, is there any way to find out what passwords are used to authenticate?

I have as well try blocking the whole subnet (rule 25), but still seeing this in mail.log,
so ufw should have blocked it …

root@box:~# sudo ufw status numbered
Status: active

 To                         Action      From
 --                         ------      ----

[ 1] 22 ALLOW IN Anywhere
[ 2] 53 ALLOW IN Anywhere
[ 3] 25/tcp ALLOW IN Anywhere
[ 4] 587 ALLOW IN Anywhere
[ 5] 993 ALLOW IN Anywhere
[ 6] 995 ALLOW IN Anywhere
[ 7] 4190/tcp ALLOW IN Anywhere
[ 8] 80 ALLOW IN Anywhere
[ 9] 443 ALLOW IN Anywhere
[10] Anywhere DENY IN 103.199.161.40
[11] Anywhere DENY IN 118.68.57.80
[12] Anywhere DENY IN 211.72.217.11
[13] Anywhere DENY IN 181.192.60.23
[14] Anywhere DENY IN 182.72.206.74
[15] Anywhere DENY IN 92.207.194.176
[16] Anywhere DENY IN 89.248.162.247
[17] Anywhere DENY IN 91.208.99.2
[18] Anywhere DENY IN 208.100.26.233
[19] Anywhere DENY IN 210.65.114.3
[20] Anywhere DENY IN 164.132.206.86
[21] Anywhere DENY IN 61.69.108.150
[22] Anywhere DENY IN 5.188.11.11
[23] Anywhere DENY IN 89.146.35.189
[24] Anywhere DENY IN 117.54.4.124
[25] Anywhere DENY IN 5.188.86.0/24
[26] Anywhere DENY IN 187.183.168.89
[27] 22 (v6) ALLOW IN Anywhere (v6)
[28] 53 (v6) ALLOW IN Anywhere (v6)
[29] 25/tcp (v6) ALLOW IN Anywhere (v6)
[30] 587 (v6) ALLOW IN Anywhere (v6)
[31] 993 (v6) ALLOW IN Anywhere (v6)
[32] 995 (v6) ALLOW IN Anywhere (v6)
[33] 4190/tcp (v6) ALLOW IN Anywhere (v6)
[34] 80 (v6) ALLOW IN Anywhere (v6)
[35] 443 (v6) ALLOW IN Anywhere (v6)

Passwords are generally not stored in plaintext in a log file. However if they are trying to access the server through unencrypted means you can packet sniff the passwords using tcpdump which will allow you to read the packets in plaintext (granted they are NOT encrypted like if they try SMTP w/TLS or IMAPS or HTTPS.