Aborted login by logging out

JustSomeGuy

Active Member
Oct 13, 2007
31
0
56
I'm getting the following from legitimate clients on the server:

Jan 10 14:09:27 srv06 dovecot: pop3-login: Disconnected: Aborted login by logging out (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=CUSTOMER_IP, lip=SERVER_IP, session=<qwzslkHVIspMRYT0>
Obviously I've taken out the actual email address, and IP's.

Anyone know why all of a sudden the last few weeks this is happening? In the end, LFD is blocking these legitimate customers.
 

laxbobber

Member
Jan 4, 2005
19
4
153
cPanel Access Level
Root Administrator
@quietFinn - definitely not (but I know exactly why that was your reaction!). We have been investigating these, too.

@JustSomeGuy - in the last few days we have also been seeing LFD blocking these legitimate customers, too. It seems to happen during the upcp run. In our case, maillog has things like:

Jul 25 00:16:35 www dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 5 attempts in 26 secs): user=<[email protected]>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS, session=<iz8WSJr3wYCDXcqu>

This happens a few times and then LFD blocks these legitimate users. Had LFD not caught it things would pick right up and they'd be OK later. It is almost like upcp causes the mail daemon to not have access to (or have access to the wrong) user database temporarily.

Anyone else seen this? It is happening on a handful of servers for us so it's not isolated to one box.