Index: [Article Count Order] [Thread]

Date:  Mon, 12 Mar 2007 10:45:42 -0400
From:  "Rusty Waybrant" <RWaybrant (at mark)>
Subject:  [coba-e:09100] Re: Dovecot/POP3 Flood
To:  <coba-e (at mark)>
Message-Id:  <7853B509BA765D40B8DACAEA2F64B2A4720CE6 (at mark)>
In-Reply-To:  <001601c76299$d8edf420$8ac9dc60$@net>
References:  <001601c76299$d8edf420$8ac9dc60$@net>
X-Mail-Count: 09100

After a reboot, the server would run "dbrecover" on start, which checks
the consistency of pwdb (password database that is used for all users
except for 'admin' and 'root').

You can manually run:
/etc/rc.d/init.d/dbrecover start

I've noticed if there is an issue with pwdb, it is usually not failing
authentication (drop the thick-client for troubleshooting and use
'telnet <server> pop3') but extremely slow authentication (30-60+
seconds, which is the reason for the errors). 

I've also noticed on high-traffic POP3 servers, you may this similar
issue as dictionary-attacks.

You will want to stop dovecot (or any service that might affected by
this, like xinetd [ftp] or admserv [httpd.admsrv]). Then kill any
processes that might be hung (usually 'dovecot-auth'). Then run
dbrecover, which may take a minute or two to run. Finally restart any
service you stopped. This usually fixes the issue without the need of a




From: Darrell D. Mobley [mailto:dmobley (at mark)] 
Sent: Friday, March 09, 2007 5:26 PM
To: coba-e (at mark)
Subject: [coba-e:09068] Dovecot/POP3 Flood

I started getting POP3 authentication errors on my server today, so I
logged on and tailed the maillog to see a POP3 flood using a dictionary
attack.  I blocked the offending source IP address in iptables, then
stopped dovecot to allow the server load to subside and then restarted
it.  It restarted normally, but I couldn't connect from my mail client
via POP3, the authentication continued to fail.  I ended up stopping and
restarting sendmail and saslauthd, thinking perhaps those needed
restarting.  No joy.  I tried stopping and restarting all the mail
server services in the GUI.  Still no joy.  I ended up rebooting the
server and everything came back up fine.


What sequence should I have used to stop and restart the mail services
correctly to avoid the reboot?