My log files are being spammed with repeated IMAP logins from localhost
...
Aug 12 10:46:14 imap-login: Info: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19262, secured, session=<PLXdP6+sBqp/AAAB>
Aug 12 10:46:14 imap(user@domain.tld): Info: Logged out in=12 out=412
Aug 12 10:46:14 imap-login: Info: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19264, secured, session=<aQjfP6+sCqp/AAAB>
Aug 12 10:46:14 imap(user@domain.tld): Info: Logged out in=12 out=412
Aug 12 10:46:14 imap-login: Info: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19266, secured, session=<80bgP6+sDKp/AAAB>
Aug 12 10:46:14 imap(user@domain.tld): Info: Logged out in=12 out=412
Aug 12 10:46:14 imap-login: Info: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19268, secured, session=<pWDhP6+sDqp/AAAB>
Aug 12 10:46:14 imap-login: Info: Login: user=<user@domain.tld>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19272, secured, session=<Dc7jP6+sFqp/AAAB>
Aug 12 10:46:14 imap(user@domain.tld): Info: Logged out in=12 out=412
Aug 12 10:46:14 imap(user@domain.tld): Info: Logged out in=360 out=3069
....
Anywhere from once every few seconds up to ten times a second.
Another post of a similar issue suggested webmail was active in a browser session, but I don’t even have my admin panel open at the moment. I’m at a real loss, but it’s making it difficult to monitor actual traffic to ensure everything is configured properly.
Could this be due to z-push or some other related function (NextCloud?)? You’d think it would log my remote IP, but I have my phone configured for push, along with calendar and such, and it does seem to be more active when I open my iPhone’s Mail app.
I suggest it may be z-push because it’s the only difference between MIAB and my old mail server, which only logs a single login when opening the Mail app.
Yes, I do have Mail.app open on my Macbook, but I can tell when it checks for messages since it will show my remote/home IP. The strange behavior is that these logs in question are all for 127.0.0.1.
I wonder if this is Nextcloud related. I was searching through Dovecot config files and saw a reference to issue #1577, where Nextcloud now does authentication via IMAP.
Don’t know why it’s so damn spammy, though.
Dovecot supposedly has a mechanism for setting configurations based on local and remote IPs:
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
I’ve sent a message to the dovecot mailing list; hopefully this is just an issue with my syntax and not something that physically cannot be done.
In the meantime, I’ve changed the info_log_path to keep the spam out of the main mail logs, and updated fail2ban and logrotate to consider this new file.
I guess the other alternative is to disable nextcloud, as I’d rather have less log spam than Calendar and Contacts (I’m fine using iCloud for that, even though the separation would be cool).