Hi. I'm seeing many of these in the logs in bulk. Are these hacking attempts? Feb 3 20:00:01 latte dovecot[2956]: auth-worker(51112): conn unix:auth-worker (pid=2971,uid=0): auth-worker<687>: sql(trialuser,107.174.6 8.151): unknown user (given password: 123456) - trying the next passdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<3>: sql(nobody): unknown user - trying the next userdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<4>: sql(vmail): unknown user - trying the next userdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<5>: sql(getmail): unknown use r - trying the next userdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<6>: sql(ispapps): unknown use r - trying the next userdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<7>: sql(ispconfig): unknown u ser - trying the next userdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<8>: sql(turgut): unknown user - trying the next userdb Feb 3 20:00:02 latte dovecot[2956]: auth-worker(27161): conn unix:auth-worker (pid=2971,uid=0): auth-worker<9>: sql(web1): unknown user - trying the next userdb
Is it a new install or longer existing server and these logs appeared out of the blue? Seems to me more like a misconfiguration where the auth-worker process is trying a sql connection with unix users (pam?) than a hack attempt.
