Seeing my own server ip in the netfilter log

maybl8

Wondering why I am seeing this:

75.115.164.173 matched rule id 6 (imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 3 secs): user=<danc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, TLS: Connection closed, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256_256 bits))
netfilter-mailcow-1  | Address 75.115.164.173/32 is whitelisted by rule 75.115.164.173/32

That is my server. I have my phone checking emails so it can’t be a password issue. I don’t know where this is coming from and it doesn’t happen all of the time.
I will get a few of these and then it stops.
Any ideas on what more I can check when this happens.

ETNyx

This is netfilter log right? than check dovecot logs does not contain reason of fail? it should

maybl8

Yes that is from the netfilter log.
This is from the dovecot log but I don’t know if it is the correct timestamp. Is there a way to find the corresponding dovecot entry?

Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<dcc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227104, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<danc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227105, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<danc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227106, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:38 351599f63899 dovecot: imap-login: Login: user=<mikec@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227107, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<dcc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227114, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<mikec@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227115, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<mikec@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227116, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
dovecot-mailcow-1  | Jan 17 08:04:40 351599f63899 dovecot: imap-login: Login: user=<dcc@dccathome.com>, method=PLAIN, rip=75.115.164.173, lip=172.22.1.250, mpid=227117, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

esackbauer

So your server is doing an IMAP connection to itself?
Because if its your phone you would see a different IP address.
Are there e.g. mailcow sync jobs or IMAP configurations in your SOGO webmail configured on your server?
Or has any of your users done so?

maybl8

I don’t think so . Where would I look for that?