Concerned about message in /var/log/maillog

dbdemon · Apr 1, 2024

I've been working on setting up a mail server on FreeBSD (mail/postfix, mail/dovecot and so on, very basic and barebones).

At this point, everything works, except that dovecot produces a message in /var/log/maillog every time I try to receive email from my client. This triggers security/py-fail2ban which in turns bans my IP address. Which is a problem. (I'm working on it ...)

However, my real concern is something else:

While the message I see in /var/log/maillog refers to my username, every other time it has an IP address that is not mine:

Code:

Apr  1 14:58:53 dbdemon dovecot[22317]: auth-worker(22324): conn unix:auth-worker (uid=143): auth-worker<1>: passwd(********@dbdemon.com,***.***.***.***,<PSpbOgoViMtSBsYa>): unknown user  - trying the next userdb
Apr  1 14:58:53 dbdemon dovecot[22317]: imap-login: Login: user=<********@dbdemon.com>, method=PLAIN, rip=***.***.***.***, lip=78.141.197.193, mpid=22323, TLS, session=<PSpbOgoViMtSBsYa>
Apr  1 15:04:31 dbdemon dovecot[22317]: auth-worker(22355): conn unix:auth-worker (uid=143): auth-worker<1>: passwd(********@dbdemon.com,3.90.102.151,<l9qCTgoVE1cDWmaX>): unknown user  - trying the next userdb
Apr  1 15:04:31 dbdemon dovecot[22317]: imap-login: Login: user=<********@dbdemon.com>, method=PLAIN, rip=3.90.102.151, lip=78.141.197.193, mpid=22354, TLS, session=<l9qCTgoVE1cDWmaX>

(^^ my username and IP address are obfuscated.)

3.90.102.151 is not my IP address. It is not an IP address I recognise at all.

If I click the button to receive emails again in my client, another such entry appears in /var/log/maillog with yet another IP address that I don't recognise.

Is this indicative of some backdoor in my email client that is sending my credentials to an evil hacker? Or - hopefully - is there some more mundane, less nefarious reason why I see these strange IP addresses associated with my username?

zirias@ · Apr 1, 2024

Hard to answer without more infos.

FWIW, I've learned Microsoft's Outlook for Android does very evil stuff from looking at logs ... it indeed adds some "cloud proxy" in between and then you'll see a login using your credentials originating from wherever .... needless to say I instantly banned this app from my phone.

dbdemon · Apr 1, 2024

zirias@ said:
Hard to answer without more infos.

The client I'm using is Evolution running on a Linux laptop. I'd be surprised if that is as evil as Microsoft Outlook, but you never know ....

dbdemon · Apr 2, 2024

Right, I have made a thread about this over on the Gnome forums as well:

Evolution sending my credentials via strange IP addresses

I have been working on setting up my own mail server, using postfix, dovecot etc. While running dovecot with certain debug/verbose flags there is a message in my maillog that isn’t really an error (“unknown user - trying the next userdb”). This occurs every time Evolution is retrieving emails...

discourse.gnome.org