Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[Case 54362] CPHulk vs Dovecot / IMAP

Discussion in 'E-mail Discussion' started by bojan050, Dec 11, 2013.

  1. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

    Code:
    Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'
    Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'
    I have whitelisted my IP but I still get this errors. Any ideas?
     
  2. pachiko

    pachiko Active Member

    Joined:
    Nov 11, 2013
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,
    can you check your IP address with in cphulk data base using command line.
     
  3. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I checked from commandline, My IP adres is listed in the whitelist table, not on the blacklist. The Brutes-table is empty.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Check the "Login/Brute History Report" in "WHM Home » Security Center » cPHulk Brute Force Protection" the next time this happens and see if there are any reports of failed logins for that email account as opposed to just checking for your IP address.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    That's the first place I looked. No entries there. The list is empty.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I recommend opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. bojan050

    bojan050 Member

    Joined:
    Dec 11, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I created a ticket. Number is 4418317.

    Thanks.
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    We were able to reproduce the issue where logins to services fail when the IP address is whitelisted and the account has been locked out by cPhulkd. An internal case is open with our development team to determine if this behavior is by design. For reference, the case number is 54362. I will update this thread with more information as it becomes available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Ankeny, Iowa
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm seeing the exact same issue only the IP isn't whitelisted or blacklisted and doesn't show up in the history of cphulk. It's very odd. Has there been any updates to this issue? A customer has complained that they consistently get an error in their email client when connecting via IMAP.

    I checked the maillog and found this occurring at about the same frequency as they have reported. The odd thing is, the cphulk history, whitelist and blacklist do not contain the IP or account in question.

    Code:
    Jan  1 11:20:53 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=265, out=2687, bytes=265/2687
    Jan  1 11:22:03 cpsrv12 dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=555629, TLS, session=<RFqxE+vuaQBQbAES>
    Jan  1 11:22:05 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=275, out=7862, bytes=275/7862
    Jan  1 11:22:53 cpsrv12 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'user@domain.com' to access service 'mail' from IP 'customer_ip'
    Jan  1 11:22:55 cpsrv12 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, TLS, session=<iHeJFuvupgBQbAES>
    Jan  1 11:24:48 cpsrv12 dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556446, TLS, session=<OUuXHevuKABQbAES>
    Jan  1 11:24:50 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=265, out=2687, bytes=265/2687
    Jan  1 11:25:07 cpsrv12 dovecot: imap-login: Login: user=<user@domain.com>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556980, TLS, session=<hXS8HuvuSgBQbAES>
    According to the customer, the mail client has the password saved. It successfully logs in and then will eventually fail and popup and error "AUTHENTICATION FAILED". The mail client will successfully log in after additional login attempts without changing the password.

    This is automated, the user is not typing in the credentials incorrectly.
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I went ahead and removed the new thread so you can have the issue handled here. I suggest opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Ankeny, Iowa
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ticket created #4433447
     
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,532
    Likes Received:
    1,966
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    To update, it was determined these were aborted login attempts, indicating the client did not complete the login sequence. It was recommended to update the polling interval to at least 5 minutes in the email clients.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice