The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 54362] CPHulk vs Dovecot / IMAP

Discussion in 'E-mail Discussions' started by bojan050, Dec 11, 2013.

  1. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

    Code:
    Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'
    Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'
    I have whitelisted my IP but I still get this errors. Any ideas?
     
  2. pachiko

    pachiko Active Member

    Joined:
    Nov 11, 2013
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,
    can you check your IP address with in cphulk data base using command line.
     
  3. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I checked from commandline, My IP adres is listed in the whitelist table, not on the blacklist. The Brutes-table is empty.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Check the "Login/Brute History Report" in "WHM Home » Security Center » cPHulk Brute Force Protection" the next time this happens and see if there are any reports of failed logins for that email account as opposed to just checking for your IP address.

    Thank you.
     
  5. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    That's the first place I looked. No entries there. The list is empty.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I recommend opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I created a ticket. Number is 4418317.

    Thanks.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    We were able to reproduce the issue where logins to services fail when the IP address is whitelisted and the account has been locked out by cPhulkd. An internal case is open with our development team to determine if this behavior is by design. For reference, the case number is 54362. I will update this thread with more information as it becomes available.

    Thank you.
     
  9. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ankeny, Iowa
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm seeing the exact same issue only the IP isn't whitelisted or blacklisted and doesn't show up in the history of cphulk. It's very odd. Has there been any updates to this issue? A customer has complained that they consistently get an error in their email client when connecting via IMAP.

    I checked the maillog and found this occurring at about the same frequency as they have reported. The odd thing is, the cphulk history, whitelist and blacklist do not contain the IP or account in question.

    Code:
    Jan  1 11:20:53 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=265, out=2687, bytes=265/2687
    Jan  1 11:22:03 cpsrv12 dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=555629, TLS, session=<RFqxE+vuaQBQbAES>
    Jan  1 11:22:05 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=275, out=7862, bytes=275/7862
    Jan  1 11:22:53 cpsrv12 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'user@domain.com' to access service 'mail' from IP 'customer_ip'
    Jan  1 11:22:55 cpsrv12 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, TLS, session=<iHeJFuvupgBQbAES>
    Jan  1 11:24:48 cpsrv12 dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556446, TLS, session=<OUuXHevuKABQbAES>
    Jan  1 11:24:50 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=265, out=2687, bytes=265/2687
    Jan  1 11:25:07 cpsrv12 dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556980, TLS, session=<hXS8HuvuSgBQbAES>
    According to the customer, the mail client has the password saved. It successfully logs in and then will eventually fail and popup and error "AUTHENTICATION FAILED". The mail client will successfully log in after additional login attempts without changing the password.

    This is automated, the user is not typing in the credentials incorrectly.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I went ahead and removed the new thread so you can have the issue handled here. I suggest opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  11. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ankeny, Iowa
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ticket created #4433447
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, it was determined these were aborted login attempts, indicating the client did not complete the login sequence. It was recommended to update the polling interval to at least 5 minutes in the email clients.

    Thank you.
     
Loading...

Share This Page