Hi Guys, I'm hoping someone has an idea here. Have something very baffling on a server running centos + ispconfig2 with dovecot. Essentially this server is configured so all email user accounts are in the format: domain.ext_user (all these accounts are system users) But somehow, I've got some bad hats managing to authenticate as [email protected] I have no idea how this is being done, I have looked everywhere I can think of for a user account matching the smtp login without success. I've isolated the login in the maillogs that show things like: [email protected] The email address expressed in the sasl username does exist. I've already done the usual such as changing the password for the user in question that has that email address but somehow the successful authentication continues. I did find an old ssh enabled user that has a username that matches the user portion of the email address which I've disabled but again my question is how is this authentication possible. I've checked postfix and saslauthd is the only pwcheck method available. I've attempted to enable some debug logging to see if that sheds any light but no joy yet. Any ideas on this would be of great interest. Thanks
Did you restart dovecot and saslauthd and postfix after the assword change? It sometmes happens that the password is cached so the attackers can still login with the ild password until you restart these 3 services.
Thanks Till, I didn't restart at least right away as you suggested as the user's password did change as evidenced by the fact they had to reconfigure their various email devices. More to the point, however, is the curiosity of how it was possible for the attacker to authenticate to an account in format [email protected] when the usernames are all in format domain.ext_user -- that is what has me rather baffled. After changing the password for the user in question a couple of times I realized the futility of it -- even though the attacker was authenticating to a username that matched the email address that belonged to the account for which the password I was changing, it was obviously a different account somehow, how I don't know as that version of ispconfig + dovecot used system users only for authentication afaik and there was no such system user possible in format [email protected] hence the users are all domain.ext_user due to the @ not being possible in system usernames. Any ideas would be of great interest. Thanks.
There is a workaround for user@domain logins for ispconfig 2 documented here: http://www.howtoforge.com/forums/showthread.php?t=7880&highlight=dovecot+user@domain maybe you applied this or a similar solution on your server?
Thanks Till, sorry for the delay in my reply. Definitely have not done such a workaround, courier is not installed at all, all users login with a username of domain_user Any idea how it can be possible for an attacker to authenticate to postfix for outgoing mail using a username of [email protected]? Pretty baffling, have not seen anything else like this.
