• maybl8

      Moolevel 36
    • Post #1

    Wondering why I am seeing this:

    75.115.164.173 matched rule id 6 (imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 3 secs): user=<danc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, TLS: Connection closed, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256_256 bits))
netfilter-mailcow-1  | Address 75.115.164.173/32 is whitelisted by rule 75.115.164.173/32

    That is my server. I have my phone checking emails so it can’t be a password issue. I don’t know where this is coming from and it doesn’t happen all of the time.
    I will get a few of these and then it stops.
    Any ideas on what more I can check when this happens.

    • EETNyx

        Moolevel 46
      • Post #2

      This is netfilter log right? than check dovecot logs does not contain reason of fail? it should

      Have something to say?

      Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      • maybl8

          Moolevel 36
        • Post #3

        Yes that is from the netfilter log.
        This is from the dovecot log but I don’t know if it is the correct timestamp. Is there a way to find the corresponding dovecot entry?

        Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<dcc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227104, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<danc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227105, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<danc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227106, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<mikec@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227107, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<dcc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227114, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<mikec@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227115, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<mikec@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227116, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<dcc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227117, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

        • esackbauer

          • Community Hero
          Moolevel 346
        • Post #4
        • Edited

        So your server is doing an IMAP connection to itself?
        Because if its your phone you would see a different IP address.
        Are there e.g. mailcow sync jobs or IMAP configurations in your SOGO webmail configured on your server?
        Or has any of your users done so?

        • maybl8

            Moolevel 36
          • Post #5

          I don’t think so . Where would I look for that?

          No one is typing