Evolution sending my credentials via strange IP addresses

dbdemon · April 2, 2024, 1:44pm

I have been working on setting up my own mail server, using postfix, dovecot etc.

While running dovecot with certain debug/verbose flags there is a message in my maillog that isn’t really an error (“unknown user - trying the next userdb”). This occurs every time Evolution is retrieving emails. That’s fine, and it’s not Evolution’s fault.

However, what is concerning is this: A strange IP address associated with my username in the maillog:

Apr  1 14:58:53 dbdemon dovecot[22317]: auth-worker(22324): conn unix:auth-worker (uid=143): auth-worker<1>: passwd(********@dbdemon.com,***.***.***.***,<PSpbOgoViMtSBsYa>): unknown user  - trying the next userdb
Apr  1 14:58:53 dbdemon dovecot[22317]: imap-login: Login: user=<********@dbdemon.com>, method=PLAIN, rip=***.***.***.***, lip=78.141.197.193, mpid=22323, TLS, session=<PSpbOgoViMtSBsYa>
Apr  1 15:04:31 dbdemon dovecot[22317]: auth-worker(22355): conn unix:auth-worker (uid=143): auth-worker<1>: passwd(********@dbdemon.com,3.90.102.151,<l9qCTgoVE1cDWmaX>): unknown user  - trying the next userdb
Apr  1 15:04:31 dbdemon dovecot[22317]: imap-login: Login: user=<********@dbdemon.com>, method=PLAIN, rip=3.90.102.151, lip=78.141.197.193, mpid=22354, TLS, session=<l9qCTgoVE1cDWmaX>

(^^ my username and my own IP address are obfuscated.)

3.90.102.151 is not my IP address. It is not an IP address I recognise at all.

It seems that every other time Evolution retrieves, another such entry appears in the maillog with yet another IP address that I don’t recognise.

This is a new mail server and nobody else knows about my username on this mail server.

Is Evolution sending my credentials to some third-party? That does not seem like a great idea.

Best wishes,
dbdemon

PS: Evolution version is 3.50.4 (3.50.4-1.fc39)

poc · April 2, 2024, 2:07pm

whois says it belongs to Amazon. Are you running the server on AWS?

poc

dbdemon · April 2, 2024, 2:13pm

No, the server is owned by Vultr.

dbdemon · April 2, 2024, 2:22pm

Here are a couple of other IP addresses that also seem to know about my credentials (or at least my username):

54.88.248.207
3.90.217.172
18.209.21.23
54.224.66.244

(Edit: All seem to be AWS)

mcrha · April 2, 2024, 4:11pm

Hi,
Evolution doesn’t do any such thing, it does not share your credentials with anything.

When connecting to your server, it uses a route which is available. May such route go through the odd servers/IPs? Does traceroute incluse any of the AWS addresses? How do you have configured the IMAP in Evolution, please? Encryption and authentication method might be the two most interesting, together with the server host name (IP or domain name?).

You can run evolution from a terminal with IMAP debugging on to see what it does when talking to the IMAP servers:

   CAMEL_DEBUG=imapx:io evolution

Nonetheless, the only reason I can think of is the route to the server.
Bye,
Milan

dbdemon · April 2, 2024, 9:25pm

Hi Milan,

When packets travel across the Internet they do bounce from one server to the next, each with its own IP address, but surely those intermediary IP addresses are not the ones being reported by dovecot. And the same would be the case for any other server on the Internet that receives packets/requests from a client.

My Evolution IMAP settings:
server: dbdemon.com
port: 993
Encryption method: TLS on a dedicated port
Authentication: Password

Thanks for the tip about Evolution IMAP debugging, I can see lots of output, but nothing nefarious. Of course, if there really were some deliberate hack in there that stole users’ credentials, then it would probably be better hidden than that …

I’m sure there is some natural explanation to all this, and it just looks suspicious because I’m no expert on any of this.

mcrha · April 3, 2024, 7:35am

The IMAP debugging shows raw communication between Evolution (libcamel) and the server. It does not hide anything (apart of user passwords, which can be part of the communication too).

I talk about the route, because it matters. For example my machine is not visible to the outer internet, Google doesn’t show my real place from where I’m connected at its footer, it shows a place which my internet service provider has its machine. In other words, my machine does not have a public IP. That surely influences “where I’m connected from” for the outer servers.

You can try to connect to the server using GnuTLS (it’s used under the hood by glib-networking by default, which libcamel uses). That’ll be like:

   gnutls-cli dbdemon.com:993

if it connects properly, you might be prompted with something like this:

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

probably, waiting for your input. Use quit command to close the IMAP session. You should see similar lines in the server connection log when using the gnutls-cli as you see when connecting with Evolution.