I posted yesterday about the external IP address of my internal network being blocked by Fail2Ban. I have temporarily overcome by unbanning the IP address in the Dovecot and Recidive jails for Fail2Ban but this will be overwritten by the next update so I want to get to the route cause…
This is the weekly usage report:
User logins per hour ════════════════════ imap smtp │ timespan ─────────────────────────────────────────────┼───────── Email_Account_1_at_Domain1 3.2 0.0 │ 7.0 days Email_Account_2_at_Domain1 0.6 0.0 │ 6.2 days Email_Account_1_at_Domain2 3.3 0.0 │ 6.8 days Email_Account_2_at_Domain2 8.5 0.1 │ 6.9 days Email_Account_3_at_Domain2 902.1 0.0 │ 7.0 days Email_Account_4_at_Domain2 3.4 0.0 │ 6.7 days Email_Account_5_at_Domain2 4.7 0.1 │ 6.7 days Email_Account_6_at_Domain2 3.5 0.0 │ 6.7 days Email_Account_7_at_Domain2 4.6 0.0 │ 7.0 days Email_Account_8_at_Domain2 3.8 0.0 │ 6.7 days Email_Account_1_at_Domain3 909.0 0.0 │ 7.0 days
There are two accounts here that are constantly logging into imap every few seconds from what appears to be local machine (rip=127.0.0.1, lip=127.0.0.1)
Below a sample from /var/log/mail.log
Mar 31 10:59:34 imap(Email_Account_3_at_Domain2): Info: Logged out in=12 out=412
Mar 31 10:59:34 imap-login: Info: Login: user=<Email_Account_3_at_Domain2>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=28024, secured, session=<+jD0nyOiKrF/AAAB>
Mar 31 10:59:34 imap(Email_Account_3_at_Domain2): Info: Logged out in=12 out=412
Mar 31 10:59:38 imap-login: Info: Login: user=< Email_Account_1_at_Domain3>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=28026, TLS, session=<kVIzoCOiaLp/AAAB>
Mar 31 10:59:38 imap(Email_Account_1_at_Domain3): Info: Logged out in=445 out=2973
Mar 31 10:59:42 imap-login: Info: Login: user=<Email_Account_3_at_Domain2>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=28028, secured, session=<cjFvoCOiLrF/AAAB>
Mar 31 10:59:42 imap(Email_Account_3_at_Domain2): Info: Logged out in=12 out=412
Mar 31 10:59:47 imap-login: Info: Login: user=< Email_Account_1_at_Domain3>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=28030, secured, session=<7la9oCOiNLF/AAAB>
Mar 31 10:59:47 imap(Email_Account_1_at_Domain3): Info: Logged out in=12 out=412
Mar 31 10:59:47 imap-login: Info: Login: user=< Email_Account_1_at_Domain3>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=28033, secured, session=<SGK+oCOiOLF/AAAB>
Mar 31 10:59:47 imap(Email_Account_1_at_Domain3): Info: Logged out in=12 out=412
I have logged into/out of the accounts on WebMail on the same server to ensure they weren’t constantly polling.
Can anyone advise on likely root cause/resolution?
Thank you