#6 minor bad pattern match - dovecot-1.0.0

[Daniel Black]

Sep 30 09:21:22 mail dovecot: imap-login: Disconnected: rip=10.10.10.213, lip=10.10.10.213, TLS
Sep 30 09:21:54 mail dovecot: pop3-login: Aborted login: rip=10.10.10.213, lip=10.10.10.213, TLS

These two lines appear in the log when an dovecot syslog 1.0.0 imap/pop session are attempted but not authentication is given. The first line matches the $out_pat. I don't think this can be exploited to gain an open relay without authentication however tightening up the regex may prevent this happening. Below is a legit logout from imap.

Sep 29 16:36:39 mail dovecot: IMAP(daniel): Disconnected: Logged out

[Wayne Davison]

Logged In: YES
user_id=35204
Originator: NO

The legit logout line you list is useless to pop-before-smtp because it doesn't contain an IP address. Is there a way to enable that? If so, the logout pattern could be tightened to avoid the other log line.

If not, some kind of custom_match subroutine would need to be created to associate an IP with a login name (and hope that the same user doesn't login from more than one IP).