Apple Mail client constantly blocked for port scanning

[skrl]

I have one user constantly blocked by lfd for port scanning. They are only trying to connect to their email with the Apple Mail client. I have found a thread with Apple forums, which I have brought to my user's attention (Mail.app is using port 585 and blocking m… - Apple Community) and they said that they tried that, but they are still making their way in the blacklist. This is the only user with Apple Mail constantly ending in the blacklist in all of the server. My go to option has been to quickly ignore their IPv4 every now and again. I would have their IP whitelisted had they had a static one, which they don't. I have also suggested they try switching mail clients, which they don't want to try.

What would be the best approach to help them, without compromising the server security?

 

[cPRex]

Hey there! I do see several web results for "apple mail blocked port scanning" but I don't believe there is anything on the cPanel side of things that can be done for this, as the issue would lie either with the firewall or Apple Mail, neither of which are controlled by us.

With that said, we (cPanel techs internally) used Apple Mail for a very long time, and I don't recall anyone having this particular issue, as many of us also use CSF/LFD on our personal systems.

Other results (Apple Macs trigger IP blocks - port 587) show that the Mail client checks port 587 first, and that adding that as a secondary Exim port in WHM >> Service Manager can help resolve this issue.

 

[skrl]

Hey, thanks for the input. Usually I am not having similar issues with other Apple Mail users either, but with this particular customer it has been a nightmare.

I have followed your lead and enabled the appropriate port (585 in my case according to the DPT reported in /var/log/messages for that incident) for both exim secondary port, and for the csf.

I will monitor how it goes and will let you know if it has been resolved or still persisting.

Thanks tons.

 

[skrl]

The joy of success only last a few hours. I am touching base to let you know that I just received notice from my customer that they are experiencing similar issues again today. Only... upon inspecting the logs I could not find any similar records to the previous ones.

I checked the messages and lfd.log logs, but was only able to find normal traffic records in the first one, and only one csf record for their last known IP address in the second. Since I couldn't make sense of it, I continued my search with grepping their IP in the maillog and that is where I discovered the following:

Apr 21 17:58:48 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=their.IP, lip=my.server's.ip, mpid=5244, TLS, session=<IDDkWCvdXtUCVNRc>
Apr 21 18:03:47 cpnl dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (no auth attempts in 0 secs): user=<>, rip=their.IP, lip=my.server's.ip, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<yUa3aivd4dICVNRc>
Apr 21 18:03:47 cpnl dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (no auth attempts in 0 secs): user=<>, rip=their.IP, lip=my.server's.ip, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<jGW3aivd4tICVNRc>
Apr 21 18:03:47 cpnl dovecot: imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=their.IP, lip=my.server's.ip, session=<Zpq4aivd6dICVNRc>
Apr 21 18:03:47 cpnl dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 0 secs): user=<>, method=LOGIN, rip=their.IP, lip=my.server's.ip, session=<6pG4aivd6NICVNRc>


I did quite some reading on the error:140760FC:SSL message in particular, but I am more confused now than I was before all the input from the various answers I found. Some say that it is a TLS version incompatibility between the server, which accepts only newer versions, and the client (older TLSv1 maybe?). Others say it is normal behavior. Then I found this thread ( [RESOLVED] dovecot + imap + ssl - CentOS ) where they are suggesting a chmod on the /etc/pki/dovecote/certs/dovecot.pem file, to 0444. That thread is 10 years old. I checked mine and it is a 0600. I honestly don't know how to proceed with this. Any additional help would be much appreciated. Thanks.

 

[cPRex]

Do you happen to know what version of Mail they are using?

 

[skrl]

I have requested that bit of information from my customer, and I will let you know. In the meantime, is there anything else I should/could look into?

 

[cPRex]

I'm not aware of anything else on my end as the issue isn't with cPanel. With that specific error message I'm just wondering if his Mail version is out of date.

 

[skrl]

I've heard back from them, and they are using the version 15.0 (3693.60.0.1.1)

 

[cPRex]

Interesting - that shouldn't be the issue then.

 

[skrl]

Returning to this, as I am still suffering from it. I have requested my customer to edit their mail client settings to not automatically detect and maintain account settings.

The first two days everything was running sweetly, but then, yesterday, I was notified that they are still experiencing their blacklisted issue again.

I checked the exim_mainlog records for their IP at the time of the incident, and I discovered the following records:

2022-04-27 04:01:24 SMTP connection from [2.84.222.207]:63272 (TCP/IP connection count = 1)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63301 (TCP/IP connection count = 2)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63303 (TCP/IP connection count = 3)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63300 (TCP/IP connection count = 4)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63302 (TCP/IP connection count = 5)
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63303 closed by QUIT
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63302 closed by QUIT
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63301 closed by QUIT
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63300 closed by QUIT
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63314 (TCP/IP connection count = 2)
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63315 (TCP/IP connection count = 3)
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63316 (TCP/IP connection count = 4)
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63317 (TCP/IP connection count = 5)
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63315 closed by QUIT
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63317 closed by QUIT
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63316 closed by QUIT
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63314 closed by QUIT
2022-04-27 04:04:10 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63272
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63333 (TCP/IP connection count = 1)
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63334 (TCP/IP connection count = 2)
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63335 (TCP/IP connection count = 3)
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63336 (TCP/IP connection count = 4)
2022-04-27 07:41:16 TLS error on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63333 (SSL_accept): timed out
2022-04-27 07:41:16 TLS error on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63335 (SSL_accept): timed out
2022-04-27 07:41:19 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63336
2022-04-27 07:41:19 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63334
2022-04-27 07:44:01 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63333
2022-04-27 07:44:01 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63335
2022-04-27 09:26:34 SMTP connection from [2.84.222.207]:63344 (TCP/IP connection count = 1)
2022-04-27 09:26:34 SMTP connection from [2.84.222.207]:63343 (TCP/IP connection count = 2)
2022-04-27 09:29:39 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63343
2022-04-27 09:29:40 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63344
2022-04-27 09:29:40 H=ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63344 Warning: "Connection Ratelimit - ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63344 because of notquit: command-timeout (2.0/1h max:1.2)"
2022-04-27 09:38:50 SMTP connection from [2.84.222.207]:63350 (TCP/IP connection count = 1)
2022-04-27 09:38:51 SMTP connection from [2.84.222.207]:63358 (TCP/IP connection count = 2)
2022-04-27 09:38:51 SMTP connection from [2.84.222.207]:63359 (TCP/IP connection count = 3)
2022-04-27 09:38:53 SMTP connection from [2.84.222.207]:63366 (TCP/IP connection count = 4)
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63350
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63366
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63358
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63359
2022-04-27 09:53:52 SMTP connection from [2.84.222.207]:63371 (TCP/IP connection count = 1)
2022-04-27 09:53:52 SMTP connection from [2.84.222.207]:63372 (TCP/IP connection count = 2)
2022-04-27 09:53:58 SMTP connection from [2.84.222.207]:63383 (TCP/IP connection count = 3)
2022-04-27 09:53:58 SMTP connection from [2.84.222.207]:63382 (TCP/IP connection count = 4)
2022-04-27 09:54:00 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63382 closed by QUIT
2022-04-27 09:54:00 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63383 closed by QUIT
2022-04-27 09:54:12 H=ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63371 temporarily rejected connection in "connect" ACL: "Host is ratelimited (1.3/1h max:1.2)"
2022-04-27 09:56:37 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63372
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62943 (TCP/IP connection count = 1)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62944 (TCP/IP connection count = 2)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62945 (TCP/IP connection count = 3)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62946 (TCP/IP connection count = 4)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62947 (TCP/IP connection count = 5)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62948 (TCP/IP connection count = 6)
2022-04-27 18:27:41 SMTP call from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62945 dropped: too many syntax or protocol errors (last command was "\001??S???\026?\024??\021mail.theirdomain.gr?", NULL)
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62946
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62943
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62944
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62947
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62948
[[email protected] ~]# cat /var/log/exim_mainlog | grep 2.84.222.207
2022-04-27 04:01:24 SMTP connection from [2.84.222.207]:63272 (TCP/IP connection count = 1)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63301 (TCP/IP connection count = 2)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63303 (TCP/IP connection count = 3)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63300 (TCP/IP connection count = 4)
2022-04-27 04:01:40 SMTP connection from [2.84.222.207]:63302 (TCP/IP connection count = 5)
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63303 closed by QUIT
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63302 closed by QUIT
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63301 closed by QUIT
2022-04-27 04:01:41 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63300 closed by QUIT
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63314 (TCP/IP connection count = 2)
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63315 (TCP/IP connection count = 3)
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63316 (TCP/IP connection count = 4)
2022-04-27 04:02:27 SMTP connection from [2.84.222.207]:63317 (TCP/IP connection count = 5)
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63315 closed by QUIT
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63317 closed by QUIT
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63316 closed by QUIT
2022-04-27 04:02:29 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63314 closed by QUIT
2022-04-27 04:04:10 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63272
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63333 (TCP/IP connection count = 1)
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63334 (TCP/IP connection count = 2)
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63335 (TCP/IP connection count = 3)
2022-04-27 07:38:29 SMTP connection from [2.84.222.207]:63336 (TCP/IP connection count = 4)
2022-04-27 07:41:16 TLS error on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63333 (SSL_accept): timed out
2022-04-27 07:41:16 TLS error on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63335 (SSL_accept): timed out
2022-04-27 07:41:19 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63336
2022-04-27 07:41:19 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63334
2022-04-27 07:44:01 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63333
2022-04-27 07:44:01 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63335
2022-04-27 09:26:34 SMTP connection from [2.84.222.207]:63344 (TCP/IP connection count = 1)
2022-04-27 09:26:34 SMTP connection from [2.84.222.207]:63343 (TCP/IP connection count = 2)
2022-04-27 09:29:39 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63343
2022-04-27 09:29:40 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63344
2022-04-27 09:29:40 H=ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63344 Warning: "Connection Ratelimit - ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63344 because of notquit: command-timeout (2.0/1h max:1.2)"
2022-04-27 09:38:50 SMTP connection from [2.84.222.207]:63350 (TCP/IP connection count = 1)
2022-04-27 09:38:51 SMTP connection from [2.84.222.207]:63358 (TCP/IP connection count = 2)
2022-04-27 09:38:51 SMTP connection from [2.84.222.207]:63359 (TCP/IP connection count = 3)
2022-04-27 09:38:53 SMTP connection from [2.84.222.207]:63366 (TCP/IP connection count = 4)
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63350
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63366
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63358
2022-04-27 09:41:40 SMTP command timeout on TLS connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63359
2022-04-27 09:53:52 SMTP connection from [2.84.222.207]:63371 (TCP/IP connection count = 1)
2022-04-27 09:53:52 SMTP connection from [2.84.222.207]:63372 (TCP/IP connection count = 2)
2022-04-27 09:53:58 SMTP connection from [2.84.222.207]:63383 (TCP/IP connection count = 3)
2022-04-27 09:53:58 SMTP connection from [2.84.222.207]:63382 (TCP/IP connection count = 4)
2022-04-27 09:54:00 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63382 closed by QUIT
2022-04-27 09:54:00 SMTP connection from ppp-2-84-222-207.home.otenet.gr (smtpclient.apple) [2.84.222.207]:63383 closed by QUIT
2022-04-27 09:54:12 H=ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63371 temporarily rejected connection in "connect" ACL: "Host is ratelimited (1.3/1h max:1.2)"
2022-04-27 09:56:37 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63372
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62943 (TCP/IP connection count = 1)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62944 (TCP/IP connection count = 2)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62945 (TCP/IP connection count = 3)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62946 (TCP/IP connection count = 4)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62947 (TCP/IP connection count = 5)
2022-04-27 18:27:41 SMTP connection from [2.84.222.207]:62948 (TCP/IP connection count = 6)
2022-04-27 18:27:41 SMTP call from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62945 dropped: too many syntax or protocol errors (last command was "\001??S???\026?\024??\021mail.theirdomain.gr?", NULL)
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62946
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62943
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62944
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62947
2022-04-27 18:30:26 SMTP command timeout on connection from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62948



Then checking the contents of the exim_rejectlog I can find only these two records for their IP:

2022-04-27 09:54:12 H=ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:63371 temporarily rejected connection in "connect" ACL: "Host is ratelimited (1.3/1h max:1.2)"
2022-04-27 18:27:41 SMTP call from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62945 dropped: too many syntax or protocol errors (last command was "\001??S???\026?\024??\021mail.theirdomain.gr?", NULL)


/var/log/messages does not contain any lines for their IP, but lfd.log does contain the following:

Apr 27 18:27:47 cpnl lfd[28776]: (eximsyntax) Exim syntax errors from 2.84.222.207 (ppp-2-84-222-207.home.otenet.gr): 1 in the last 300 secs - *Blocked in csf* [LF_TRIGGER]

Lastly, the maillog contains the following:

Apr 27 04:01:25 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18518, TLS, session=<QVJBWZjdKfcCVN7P>
Apr 27 04:01:25 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18519, TLS, session=<tmhBWZjdJvcCVN7P>
Apr 27 04:01:26 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18523, TLS, session=<WehGWZjdJ/cCVN7P>
Apr 27 04:01:26 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18528, TLS, session=<rOVQWZjdK/cCVN7P>
Apr 27 04:01:27 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18530, TLS, session=<G2lVWZjdLPcCVN7P>
Apr 27 04:01:27 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18533, TLS, session=</NRZWZjdLfcCVN7P>
Apr 27 04:01:35 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18569, TLS, session=<7D3YWZjdN/cCVN7P>
Apr 27 04:01:35 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18570, TLS, session=<k0zYWZjdOfcCVN7P>
Apr 27 04:01:35 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18571, TLS, session=<4K7YWZjdNvcCVN7P>
Apr 27 04:01:35 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18572, TLS, session=<W7zZWZjdOPcCVN7P>
Apr 27 04:01:35 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18576, TLS, session=<26LcWZjdPPcCVN7P>
Apr 27 04:01:36 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18577, TLS, session=<7DzgWZjdPfcCVN7P>
Apr 27 04:01:36 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18578, TLS, session=<QYfmWZjdPvcCVN7P>
Apr 27 04:01:36 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18580, TLS, session=<yT/pWZjdP/cCVN7P>
Apr 27 04:01:36 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18581, TLS, session=<aYbpWZjdQPcCVN7P>
Apr 27 04:01:36 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18582, TLS, session=<fIvpWZjdQfcCVN7P>
Apr 27 04:01:37 cpnl dovecot: imap-login: Disconnected: Connection closed: read(size=541) failed: Connection reset by peer (no auth attempts in 7 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS: read(size=541) failed: Connection reset by peer, session=<YO76WZjdMfcCVN7P>
Apr 27 04:01:40 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18608, TLS, session=<tbYnWpjdQ/cCVN7P>
Apr 27 04:02:28 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18880, TLS, session=<OPoAXZjdUfcCVN7P>
Apr 27 04:02:29 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18887, TLS, session=<e90UXZjdWvcCVN7P>
Apr 27 04:02:30 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18888, TLS, session=<FyMWXZjdWfcCVN7P>
Apr 27 04:02:30 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18890, TLS, session=<d/oWXZjdV/cCVN7P>
Apr 27 04:02:30 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18893, TLS, session=<wxwdXZjdXfcCVN7P>
Apr 27 04:02:30 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18894, TLS, session=<JiEdXZjdWPcCVN7P>
Apr 27 04:02:31 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18900, TLS, session=<r7QkXZjdW/cCVN7P>
Apr 27 04:02:31 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18901, TLS, session=<DnolXZjdXPcCVN7P>
Apr 27 04:02:31 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18903, TLS, session=</fomXZjdXvcCVN7P>
Apr 27 04:04:30 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS handshaking, session=<HatAZJjdL/cCVN7P>
Apr 27 04:04:30 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS handshaking, session=<rDxGZJjdMvcCVN7P>
Apr 27 04:04:30 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS handshaking, session=<T5FGZJjdM/cCVN7P>
Apr 27 07:41:30 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 181 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS, session=<frhKbJvdafcCVN7P>
Apr 27 09:41:50 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS, session=<C2mpGp3dd/cCVN7P>
Apr 27 09:41:51 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS, session=<EQ65Gp3dgPcCVN7P>
Apr 27 09:41:51 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS, session=<Pqu6Gp3dgfcCVN7P>
Apr 27 09:41:51 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS, session=<KKy6Gp3dgvcCVN7P>
Apr 27 09:41:53 cpnl dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=2.84.222.207, lip=theServerIP, TLS handshaking, session=<pADdGp3dhfcCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19425, TLS, session=<w0JHRqLdvOQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19426, TLS, session=<uUFHRqLdweQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19427, TLS, session=<pURHRqLdw+QCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19428, TLS, session=<k0RHRqLdwuQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19430, TLS, session=<qz9IRqLdvuQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19431, TLS, session=<aENHRqLdwOQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19433, TLS, session=<2/FMRqLd1eQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19434, TLS, session=<3ExNRqLd2OQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19435, TLS, session=<p3ZNRqLd1uQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19437, TLS, session=<HqVNRqLd1+QCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19441, TLS, session=<PhlQRqLdyOQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19442, TLS, session=<73pQRqLdz+QCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19443, TLS, session=<+3RQRqLdzOQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19444, TLS, session=</Z1RRqLd0+QCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19445, TLS, session=<aPRRRqLdzeQCVN7P>
Apr 27 15:51:57 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19446, TLS, session=<xOFSRqLdzuQCVN7P>
Apr 27 15:51:58 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19448, TLS, session=<AFhWRqLd2eQCVN7P>
Apr 27 15:51:58 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19449, TLS, session=<aAFXRqLd2uQCVN7P>
Apr 27 15:51:58 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19450, TLS, session=<Oi9YRqLd3OQCVN7P>
Apr 27 15:51:58 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=19451, TLS, session=<7FNZRqLd3eQCVN7P>
Apr 27 15:54:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=20353, TLS, session=<SQp9TqLdZeUCVN7P>
Apr 27 15:59:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=22427, TLS, session=<NDFdYKLd0uUCVN7P>
Apr 27 15:59:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=22428, TLS, session=<jQdfYKLd0+UCVN7P>
Apr 27 15:59:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=22429, TLS, session=<XMRfYKLd1uUCVN7P>
Apr 27 15:59:15 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=22431, TLS, session=<jIRhYKLd1+UCVN7P>
Apr 27 16:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24747, TLS, session=<c/XTbqLdctUCVN7P>
Apr 27 16:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24750, TLS, session=<4y/UbqLdbNUCVN7P>
Apr 27 16:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24751, TLS, session=<XhvUbqLdbtUCVN7P>
Apr 27 16:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24752, TLS, session=<2RvUbqLdcNUCVN7P>
Apr 27 16:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24753, TLS, session=<JUfUbqLdatUCVN7P>
Apr 27 16:03:52 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24946, TLS, session=<h5XwcKLdOeYCVN7P>
Apr 27 16:09:09 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28621, TLS, session=<7JTNg6Ld7eYCVN7P>
Apr 27 16:14:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=30840, TLS, session=<p7kClqLdW+cCVN7P>
Apr 27 16:19:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=417, TLS, session=<ItHmp6Ld0ucCVN7P>
Apr 27 16:24:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=2678, TLS, session=<db3GuaLdPegCVN7P>
Apr 27 16:28:52 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=4812, TLS, session=<+pFWyqLdqugCVN7P>
Apr 27 16:34:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=7447, TLS, session=<V8iK3aLdI+kCVN7P>
Apr 27 16:39:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=9737, TLS, session=<a5Vr76LdzukCVN7P>
Apr 27 16:44:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=11996, TLS, session=<+/NNAaPdQ+oCVN7P>
Apr 27 16:49:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=14069, TLS, session=<2OkuE6Pdv+oCVN7P>
Apr 27 16:54:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=16313, TLS, session=<6GoRJaPdNOsCVN7P>
Apr 27 16:58:58 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=18453, TLS, session=<trn1NaPdrusCVN7P>
Apr 27 17:04:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=21062, TLS, session=<DBPTSKPdOOwCVN7P>
Apr 27 17:09:13 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=23416, TLS, session=<Vs+kWqPd5OwCVN7P>
Apr 27 17:14:15 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=25981, TLS, session=<McSZbKPdVu0CVN7P>
Apr 27 17:19:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28139, TLS, session=<6AV4fqPd1+0CVN7P>
Apr 27 17:19:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28140, TLS, session=<fgx5fqPd1u0CVN7P>
Apr 27 17:24:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=30151, TLS, session=<RCZakKPdRO4CVN7P>
Apr 27 17:29:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=32293, TLS, session=<zok8oqPds+4CVN7P>
Apr 27 17:30:13 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=694, TLS, session=<XHS7paPdsuQCVN7P>
Apr 27 17:30:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=712, TLS, session=<no3xpaPds+QCVN7P>
Apr 27 17:30:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=716, TLS, session=<RMbzpaPdtOQCVN7P>
Apr 27 17:34:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=2459, TLS, session=<X/UdtKPdKO8CVN7P>
Apr 27 17:34:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=2460, TLS, session=<jQsetKPdJe8CVN7P>
Apr 27 17:36:33 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=3510, TLS, session=<IY5fvKPdROUCVN7P>
Apr 27 17:36:35 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=3526, TLS, session=<WyuBvKPdReUCVN7P>
Apr 27 17:39:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=4985, TLS, session=<EgD/xaPdyO8CVN7P>
Apr 27 17:40:02 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=5371, TLS, session=<QVXPyKPdkOUCVN7P>
Apr 27 17:40:02 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=5420, TLS, session=<PAPayKPdkeUCVN7P>
Apr 27 17:40:03 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=5435, TLS, session=<a5njyKPdkuUCVN7P>
Apr 27 17:44:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=7484, TLS, session=<NAjg16PdTvACVN7P>
Apr 27 17:49:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=10213, TLS, session=<pdbD6aPdyPACVN7P>
Apr 27 17:54:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=12582, TLS, session=<zu2j+6PdNvECVN7P>
Apr 27 17:59:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=14794, TLS, session=<kCSGDaTdtPECVN7P>
Apr 27 18:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=17180, TLS, session=<Cf/+G6TdGN4CVN7P>
Apr 27 18:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=17183, TLS, session=<bdz/G6TdFN4CVN7P>
Apr 27 18:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=17185, TLS, session=<GxUAHKTdHN4CVN7P>
Apr 27 18:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=17187, TLS, session=<A+T/G6TdGt4CVN7P>
Apr 27 18:03:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=17188, TLS, session=<2ioAHKTdHt4CVN7P>
Apr 27 18:04:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=17723, TLS, session=<h9xoH6TdSPICVN7P>
Apr 27 18:09:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=20447, TLS, session=<VvxJMaTdafMCVN7P>
Apr 27 18:14:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=22896, TLS, session=<vFYrQ6TdFvQCVN7P>
Apr 27 18:18:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24710, TLS, session=<i3CdUaTdJt4CVN7P>
Apr 27 18:18:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24718, TLS, session=<lMCeUaTdMt4CVN7P>
Apr 27 18:18:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24721, TLS, session=<b86eUaTdKt4CVN7P>
Apr 27 18:18:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24724, TLS, session=<E8CeUaTdLN4CVN7P>
Apr 27 18:18:17 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=24726, TLS, session=<18eeUaTdLt4CVN7P>
Apr 27 18:19:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=25063, TLS, session=<ghkNVaTdr/QCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26470, TLS, session=<+cb5X6Td5/QCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26471, TLS, session=<tcf5X6Td6fQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26472, TLS, session=<azr6X6Td6PQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26473, TLS, session=<FpP6X6Td6vQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26474, TLS, session=<EGv/X6Td8/QCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26475, TLS, session=</Ib/X6Td8vQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26479, TLS, session=<cLv/X6Td9PQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26480, TLS, session=<us7/X6Td7/QCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26481, TLS, session=<8Lr/X6Td8PQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26482, TLS, session=<V9X/X6Td9fQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26484, TLS, session=<NccAYKTd+/QCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26485, TLS, session=<SOwBYKTd/fQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26486, TLS, session=<sOsBYKTd/vQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26487, TLS, session=<UxUDYKTdAfUCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26488, TLS, session=<uSsDYKTd+fQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26489, TLS, session=<Uh4DYKTdBPUCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26490, TLS, session=<kPcDYKTdA/UCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26492, TLS, session=<cv0DYKTd+vQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26493, TLS, session=<QzAEYKTd/PQCVN7P>
Apr 27 18:22:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=26494, TLS, session=<9ioEYKTdBfUCVN7P>
Apr 27 18:24:14 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=27246, TLS, session=<asjtZqTdNfUCVN7P>
Apr 27 18:27:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28416, TLS, session=<suXlcaTdlPUCVN7P>
Apr 27 18:27:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28417, TLS, session=<ruvlcaTdlvUCVN7P>
Apr 27 18:27:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28419, TLS, session=<S+TlcaTdk/UCVN7P>
Apr 27 18:27:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28420, TLS, session=<Jb3mcaTdlfUCVN7P>
Apr 27 18:27:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28421, TLS, session=<AGHncaTdl/UCVN7P>
Apr 27 18:27:18 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28422, TLS, session=<aWDncaTdkvUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28424, TLS, session=<prjpcaTdnPUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28425, TLS, session=<sJLqcaTdnfUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28427, TLS, session=<wzrrcaTdnvUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28428, TLS, session=<Y/nscaTdofUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28430, TLS, session=<OBHucaTdpfUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28432, TLS, session=<5gzucaTdpvUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28433, TLS, session=<HwzucaTdn/UCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28434, TLS, session=<rhDucaTdovUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28435, TLS, session=<ZYTucaTdoPUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28436, TLS, session=<1iTwcaTdpPUCVN7P>
Apr 27 18:27:19 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28437, TLS, session=<9i7zcaTdr/UCVN7P>
Apr 27 18:27:20 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28441, TLS, session=<yan5caTdtPUCVN7P>
Apr 27 18:27:20 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28442, TLS, session=<W7j5caTds/UCVN7P>
Apr 27 18:27:20 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28443, TLS, session=<I7r6caTdtfUCVN7P>
Apr 27 18:27:20 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28444, TLS, session=<8jX7caTdtvUCVN7P>
Apr 27 18:27:20 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28445, TLS, session=<jUj8caTdt/UCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28595, TLS, session=<wY88c6Td5fUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28598, TLS, session=<gsQ8c6Td6fUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28599, TLS, session=<DsU8c6Td6vUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28600, TLS, session=<CGA9c6Td5/UCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28601, TLS, session=<m2E9c6Td6/UCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28602, TLS, session=<4nY+c6Td6PUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28604, TLS, session=<BJ8/c6Td8PUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28605, TLS, session=<LE1Ac6Td8/UCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28606, TLS, session=<BxdBc6Td8fUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28607, TLS, session=<ZaNBc6Td8vUCVN7P>
Apr 27 18:27:41 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28608, TLS, session=<jCpFc6Td9PUCVN7P>
Apr 27 18:27:42 cpnl dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2.84.222.207, lip=theServerIP, mpid=28610, TLS, session=<T4pIc6Td9/UCVN7P>



Does all of this help any towards narrowing down the issue at hand?

 

[cPRex]

It looks like they are almost DoSing the server with multiple login attempts per second, as that definitely doesn't look like normal activity from a mail client.

 

[skrl]

Could it be possible that their Mac is infected with something that is causing all that activity?

I am especially concerned with the following record found in the exim_rejectlog:

2022-04-27 18:27:41 SMTP call from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62945 dropped: too many syntax or protocol errors (last command was "\001??S???\026?\024??\021mail.theirdomain.gr?", NULL)

That does not seem like a normal server address to me. It should be just mail.theirdomain.gr. I don't know what is prepended to the expected value istead. Attempting to paste the \001??S???\026?\024??\021 to the browser URL bar to do a web search for it, I am being redirected to some documents online. The destination keeps changing after some time passes. In the morning it was some US map (https://www.fs.usda.gov/Internet/FSE_DOCUMENTS/stelprdb5285121.pdf) now it is some parts list of some sorts (https://www.hendrickson-intl.com/getattachment/0d4ba496-e263-4917-95ce-ef97d848e3c8/L937.pdf). Next I don't know what it'll be. The point is that that shouldn't be there at all anyway.

 

[cPRex]

I'm a fan of the phrase "never come up with reasons not to test something" - could it be some type of malware on their system? Sure. No matter what it ends up being, though, I don't think the fix will be on the cPanel side of things.

 

[skrl]

Thanks for pointing me to the right direction. I'll let them know, and I'll keep the thread updated for future reference.

Cheers!

 

[kdean]

Have them check their account server settings and uncheck "Automatically manage connection settings" for both incoming and outgoing mail servers and make sure the Port numbers are set correctly.



This should fix it trying alternate ports when it has trouble with the regular ones, due to network failures or simply incorrect username or password entered.

For example, I had a client the other day had a combination of incorrect password triggering a temporary block after repeated attempts and then it would hit the other non-active ports triggering a port scanning block.

 

[skrl]

I had them do so, and they shared screenshots of the before and after states of their settings. I even checked it myself on their computer via Anydesk, and there was nothing sketchy there. I also requested they perform a virus scan on their Mac, which they did, and that yielded zero infections.

 

[Spirogg]

I had them do so, and they shared screenshots of the before and after states of their settings. I even checked it myself on their computer via Anydesk, and there was nothing sketchy there. I also requested they perform a virus scan on their Mac, which they did, and that yielded zero infections.

what mac OS are they using. could be the software of their mail client is too old?
just read something similar to this the fix was to update OS on the mac and it worked for them
here is the link to the read.

Email for 3rd Party Domain No Longer Able… - Apple Community

discussions.apple.com

 

[sparek-3]

2022-04-27 18:27:41 SMTP call from ppp-2-84-222-207.home.otenet.gr [2.84.222.207]:62945 dropped: too many syntax or protocol errors (last command was "\001??S???\026?\024??\021mail.theirdomain.gr?", NULL)

This looks like it could be some confusion over how SSL/TLS is being handled with the connection.

Email clients do a really, really, really poor job of distinguishing SSL/TLS types.

For Exim and Dovecot SMTP and POP3/IMAP services there is something called tls_on_connect - this is where the entire connection from start to finish is encapsulated in TLS.

There's also upgrading a non-tls connection to TLS using STARTTLS (or the POP3/IMAP variant of this - I forget the actual name).

TYPICALLY... at least on the cPanel servers I manage, Exim (SMTP) tls_on_connect is running on port 465. That means if you connect to the mail server on port 465, Exim is expecting the entire connection to be encapsulated in TLS.

If you connect on regular SMTP ports such as 25 or 587 (587 is commonly a message submission port, but not necessarily depending on how you have your server configured) the client connecting can REQUEST an upgrade to TLS using STARTTLS and then the connection is secured from then on.

The trouble is MOST email clients (and I don't know where Apple Mail clients specifically stand on this) just give one option when setting up an email account... "Connect to this server securely?" With a neat little check box.

OK... does that checkbox mean that you want your client to request an upgrade to TLS (i.e. STARTTLS) upon connecting to the server? Or does that checkbox mean that the server you are connecting to expects the connection to be tls_on_connect and have the whole thing TLS encapsulated? The former would use port 25 (or port 587 if you're using the message submission port), the later would use port 465.

Looking at this line from the logs - it looks like that the CLIENT may be expecting tls_on_connect, so it's sending the whole connection over TLS - but the client is connecting on a non-tls_on_connect port (i.e. port 25 or port 587). The solution would be to make sure that the user is connecting on port 465 for this specific client.

Trouble is... this won't necessarily be the same for different email clients. This is why email clients do a really horrible job of providing an end-user experience that specifies exactly what they're doing.

Instead of a single check box for "Connect to this server securely?" there should be a drop down box or options for "Use tls_on_connect to secure this connection? or Request TLS upgrade on this connection?" That would make the action a bit more clear to me.

 

[kdean]

Apple Mail's checkbox is specifically "Use TLS/SSL".

I myself always have people use port 465 without any major issues for any client. ( or as usual with Apple I have people download the setup file and just install a profile to remove any question for the settings).

And as I previously mentioned unchecking the "Automatically manage connections settings" keeps it from trying alternative posts than what was entered.

 

[sparek-3]

Apple Mail's checkbox is specifically "Use TLS/SSL".

But does "Use TLS/SSL" mean that the client (Apple Mail) is expecting "tls_on_connect" or "upgrade connection with STARTTLS"? That's the ambiguity of it all.

TECHNICALLY... the way I understand it, port 465 and tls_on_connect shouldn't really be used. Port 465 is not a standard secure SMTP port. There's really no such thing as a standard secure SMTP port. Contrast with port 587 which IS a standard SMTP message submission port and the standard way of securing SMTP is with STARTTLS.

Perhaps I'm misunderstanding things, but I believe this to be TECHNICALLY correct.

However, TECHNICALLY and Real World Use often do not go together. I know I still have port 465 enabled as tls_on_connect on our servers.