The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ADVISORY: Exim / Courier-IMAP Authentication Issue: Feb 22 2011

Discussion in 'E-mail Discussions' started by cPanelJared, Feb 28, 2011.

Thread Status:
Not open for further replies.
  1. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    We have become aware of a problem that is affecting multiple servers for multiple customers and is preventing sending and receiving mail. So far, the problem is only affecting Courier-IMAP, that we have seen. The symptom is a message like the following in /var/log/maillog:

    Code:
    2011-02-28 08:46:13 courier_login authenticator failed for 201008195189.[redacted] ([redacted]) [[redacted]]: 435 Unable to authenticate at present (set_id=[redacted]): socket read timed out inside "and{...}" condition
    2011-02-28 08:46:13 courier_login authenticator failed for ([redacted]) [[redacted]]: 435 Unable to authenticate at present (set_id=[redacted]): socket read timed out inside "and{...}" condition
    The common theme that we are seeing is the following:

    Code:
    socket read timed out inside "and{...}" condition
    Increasing the number of authentication daemons in Main >> Service Configuration >> Mailserver Configuration seems to help in some cases, but it is not a permanent fix.

    As a temporary work-around, if you are using Courier-IMAP and you encounter this problem, you can change to Dovecot using Main >> Service Configuration >> Mailserver Selection.

    Our developers are aware of this issue and are investigating the cause now. This is being tracked using internal case number 47563.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    As far as we have been able to observe in our investigation, the cause of this issue was a brute-force attack against Brazilian top-level domains (domains ending with .br). In one example, there were over 140,000 attempts to authenticate via SMTP using a user @ a Brazilian domain on a single server. We have not yet observed this behavior happening on a server that does not host Brazilian domains.

    If you have noticed large-scale brute-force attempts on mailboxes @ Brazilian domains on your server, please provide the IP addresses that you have noticed making the attempts.

    A defense against this, if your server has been affected, is to change your POP/IMAP server to Dovecot, using Main >> Service Configuration >> Mailserver Selection, and to enable cPHulkd brute force protection, in Main >> Security Center >> cPHulk Brute Force Protection.
     
  3. sulnet

    sulnet Member

    Joined:
    Feb 11, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I changed to dovecot, but the problem still.


    dovecot_login authenticator failed
     
  4. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    If you have changed to Dovecot and mail authentication is still failing, please submit a ticket so that we may log into your server and work with you individually to achieve a timely resolution.
     
  5. silas_i

    silas_i Member

    Joined:
    Jan 6, 2009
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    If you change to Dovecot and still doesn´t work, after changing Mail Server Type, use the /scripts/mailperm/ to fix a mailbox.

    In same cases will need change password to back work a account!
     
  6. sulnet

    sulnet Member

    Joined:
    Feb 11, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Where can I to observe the solution for Case 47563?
     
  7. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Internal cases are not publicly viewable.

    In every case we have seen with the symptoms described in this thread, the problem was caused by a large brute-force attack against e-mail addresses with domains ending in .br. Every server we observed had thousands, or tens of thousands, of log-in failures to e-mail addresses ending in .br, coming from different source IP addresses. It is likely that a botnet was involved, because the symptoms were so similar on so many servers.

    Based on these observations, we concluded that the problem was not caused by cPanel or by Courier-IMAP. Switching to Dovecot only masks the problem. The problem is still that the server is under a brute-force attack against .br domains, and this is a problem no matter what service is used for POP and IMAP.

    The best advice that we can give is to observe /var/log/maillog and identify which source IP addresses are attempting the failed log-ins, and block them in the server's firewall. In severe cases, I would also recommend contacting your data center and asking if the offending IP addresses can be blocked upstream, before they ever get to your server.

    This is an unusual situation, but our conclusion is that it is the result of a very targeted attack against .br e-mail addresses, and not the result of a problem in cPanel or Courier-IMAP. The issue can be mitigated using basic system administration, and you should contact your data center for assistance with blocking the IP addresses that are causing the problem on your server.
     
  8. asciigirl

    asciigirl Registered

    Joined:
    Jul 28, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I've fixed a similar issue using fail2ban.
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Can you, and everyone else that experiences this issue please submit a bug report? You can do this by clicking "bugs" at the top of the page. If you experience issues submitting a bug, send me an email to sales@cpanel.net so we can route you into the bug report system via email. This will let us see if the issue is consistent with the observations Jared mentioned or if something else is going on that needs addressing. The more bug reports we receive, the more complete picture we receive and the faster a resolution can appear in the product. This will also give us the ability to email you when the product defect is resolved.

    Since this internal case has been closed as a result of the observations Jared mentioned, I am removing it from this thread's title.

    Anyone else experiencing this issue, please submit a bug report. I am now closing this thread.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page