On Fri, 2005-03-11 at 12:27 -0500, David Cary Hart wrote: > We're apparently getting hit with a large number of attempts to get into > mailboxes (partial sample listing): > -------------------------------------------------------------------- > Mar 11 11:56:32 smtp dovecot(pam_unix)[15314]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= > Mar 11 12:01:01 smtp crond(pam_unix)[15320]: session opened for > user root by (uid=0) > Mar 11 12:01:01 smtp crond(pam_unix)[15320]: session closed for > user root > Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: check pass; user > unknown > Mar 11 12:04:06 smtp dovecot(pam_unix)[15322]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= > Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: check pass; user > unknown > Mar 11 12:05:06 smtp dovecot(pam_unix)[15324]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost= > Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: check pass; user > unknown > Mar 11 12:05:26 smtp dovecot(pam_unix)[15326]: authentication > failure; > > Nowhere can I find a client IP listing. These are not logged to secure > nor maillog. I just started logging 110 in iptables. Is that my only > option? Have I missed something? > David, Ethereal might help. Close down the pop and imap ports to only those IP addresses that are authorized. If you don't want to see all of the drops from iptables, don't sent through a LOG rule. Bob...