[Case 54362] CPHulk vs Dovecot / IMAP

bojan050

Member
Dec 11, 2013
7
0
1
cPanel Access Level
Root Administrator
Hello,

A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

Code:
Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'
Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'
I have whitelisted my IP but I still get this errors. Any ideas?
 

pachiko

Active Member
Nov 11, 2013
30
0
6
cPanel Access Level
Root Administrator
Hello,

A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

Code:
Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'
Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'
I have whitelisted my IP but I still get this errors. Any ideas?
Hello,
can you check your IP address with in cphulk data base using command line.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Check the "Login/Brute History Report" in "WHM Home » Security Center » cPHulk Brute Force Protection" the next time this happens and see if there are any reports of failed logins for that email account as opposed to just checking for your IP address.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
I recommend opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
We were able to reproduce the issue where logins to services fail when the IP address is whitelisted and the account has been locked out by cPhulkd. An internal case is open with our development team to determine if this behavior is by design. For reference, the case number is 54362. I will update this thread with more information as it becomes available.

Thank you.
 

tsiedsma

Active Member
Nov 1, 2006
27
0
151
US
cPanel Access Level
Root Administrator
I'm seeing the exact same issue only the IP isn't whitelisted or blacklisted and doesn't show up in the history of cphulk. It's very odd. Has there been any updates to this issue? A customer has complained that they consistently get an error in their email client when connecting via IMAP.

I checked the maillog and found this occurring at about the same frequency as they have reported. The odd thing is, the cphulk history, whitelist and blacklist do not contain the IP or account in question.

Code:
Jan  1 11:20:53 cpsrv12 dovecot: imap([email protected]): Disconnected: Logged out in=265, out=2687, bytes=265/2687
Jan  1 11:22:03 cpsrv12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=555629, TLS, session=<RFqxE+vuaQBQbAES>
Jan  1 11:22:05 cpsrv12 dovecot: imap([email protected]): Disconnected: Logged out in=275, out=7862, bytes=275/7862
Jan  1 11:22:53 cpsrv12 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'customer_ip'
Jan  1 11:22:55 cpsrv12 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, TLS, session=<iHeJFuvupgBQbAES>
Jan  1 11:24:48 cpsrv12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556446, TLS, session=<OUuXHevuKABQbAES>
Jan  1 11:24:50 cpsrv12 dovecot: imap([email protected]): Disconnected: Logged out in=265, out=2687, bytes=265/2687
Jan  1 11:25:07 cpsrv12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556980, TLS, session=<hXS8HuvuSgBQbAES>
According to the customer, the mail client has the password saved. It successfully logs in and then will eventually fail and popup and error "AUTHENTICATION FAILED". The mail client will successfully log in after additional login attempts without changing the password.

This is automated, the user is not typing in the credentials incorrectly.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
I went ahead and removed the new thread so you can have the issue handled here. I suggest opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Ticket created #4433447
To update, it was determined these were aborted login attempts, indicating the client did not complete the login sequence. It was recommended to update the polling interval to at least 5 minutes in the email clients.

Thank you.