Introduction
If you have identified a malicious connection to your Dovecot service, you can disconnect the user with the 'doveadm kick' command.
Procedure
- Log into the server as root, via SSH or the WHM "WHM / Server Configuration / Terminal" interface.
- First, list active connections:
doveadm who -1 $username
- From the output, find the connection(s) you'd like to terminate:
[root@server ~]cPs# doveadm who -1 foo username proto pid ip foo imap 8135 fd95:4eed:38ba::25 foo imap 9112 192.0.2.53 foo imap 8216 192.0.2.111
- Then, close the malicious connection(s):
doveadm kick $username $ip-or-cidr-range
For example, this will disconnect the two "192.0.2.x" connections:[root@server ~]cPs# doveadm kick foo 192.0.2.0/24 kicked connections from the following users: foo
- Confirm the connections have been terminated:
doveadm who -1 $username
Only the IPv6 connection remains in our example:[root@server ~]cPs# doveadm who -1 foo username proto pid ip foo imap 8135 fd95:4eed:38ba::25