I have been examining my logs recently and notice a lot of messages in the dovecot logs like this:
managesieve-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=172.22.1.6, lip=172.22.1.250
11/27/2021, 11:55:02 AM info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.6, lip=172.22.1.250
11/27/2021, 11:55:02 AM info imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=172.22.1.6, lip=172.22.1.250, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
I notice that the remote IP is actually an internal one to the machine, so I am trying to figure out what could be happening…Any ideas?
A while back I noticed on a separate server running docker containers that the reverse proxy in nginx was not passing along outside IPv6 addresses, and was instead converting them to internal IPv4, which of course is REALLY BAD for security because you can’t block an internal address. So I wonder if something similar is happening here, or if this is something else, and harmless or not?