The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IMAP and POP3 authentication constantly fails.

Discussion in 'E-mail Discussions' started by bitzor, May 27, 2013.

  1. bitzor

    bitzor Registered

    Joined:
    Apr 30, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello everybody.

    Maybe this is resolved issue but certainly I couldn't find any solutions.

    I have a VPS and my clients are having problems with their mail clients (most use Outlook). It ask them repeatedly the password when they try to send or receive mails, and the POP and IMAP services works for around 20 minutes before it fail.

    In the lfd log file this messages can be seen over and over from different IP addresses:

    Code:
    May 27 21:01:00 server lfd[3819]: Failed POP3 login from xxx.xxx.xxx.xxx - ignored
    May 27 21:01:10 server lfd[3819]: Failed POP3 login from xxx.xxx.xxx.xxx - ignored
    May 27 21:02:16 server lfd[3819]: Failed IMAP login from xxx.xxx.xxx.xxx - ignored
    May 27 21:02:26 server lfd[3819]: Failed IMAP login from xxx.xxx.xxx.xxx - ignored
    
    Until now, I couldn't stablish a relation between the firewall fail, and the issues with the protocols. Not even with the repeated password asking.

    So, what I am requesting here is if anyone has had this problem could advice me on what I have to do or look. Thanks in advance.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can first check to see if any of these email accounts have been locked out by cPHulk Brute Force Protection. It's located at:

    "WHM Home » Security Center » cPHulk Brute Force Protection"

    Look under "Login/Brute History Report" if cPHulk is enabled and see if any of your email accounts have been locked out for excessive failed login attempts.

    It's also possible the mail server is running out of available authentication daemons. Does this server use Courier or Dovecot?

    Thank you.
     
  3. bitzor

    bitzor Registered

    Joined:
    Apr 30, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello.

    This VPS uses Dovecot as authentication daemon. It isn't a cPHulk problem because I check it first before to pass to check the logs. That's why I suppose that is a service problem. Furthermore, I raised the values in Authentication Processes and the problem keeps happening.

    Thanks for the help.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's also possible there is a DOS attack on your mail server, and it's using up your available authentication daemons. Try using the following command to see if you notice any IP addresses with a high number of authentication failures:

    Code:
    # awk '/auth failed/ {for (i=1;i<=NF;i=i+1) if ($i~/rip/) print $i}' /var/log/maillog |sort|uniq -c|sort -n| tail
    Let us know the result.

    Thank you.
     
  5. bitzor

    bitzor Registered

    Joined:
    Apr 30, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Michael. This is the result of the command you gave above:

    Code:
         48 rip=74.82.85.187,
         50 rip=37.9.53.64,
         53 rip=190.121.238.22,
         54 rip=190.15.174.230,
         55 rip=201.210.50.168,
        105 rip=190.15.173.130,
        117 rip=190.72.211.80,
        123 rip=186.167.16.145,
        197 rip=186.95.101.33,
        951 rip=200.11.142.102,
    
    I would like to know if the numbers before the rip, are the number of connection intents. Thanks again for the help.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    That number does represent the number of failed authentication attempts from that IP address. 951 failed attempts does seem to be quite high. I suggest blocking that IP address with your firewall and seeing if the issue continues.

    Thank you.
     
  7. zoltanpaszinger

    Joined:
    Mar 12, 2009
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Hello

    same issue here.

    here is the output
    the problem is: 89.135.145.126 is the user who issued the problem with outlook, his password is good, double checked at webmail

    another problem is: 333 rip=46.4.102.41 is the server's itself IP address...
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you tried increasing the "Maximum Number of Authentication Processes" value in "WHM Home » Service Configuration » Mailserver Configuration"? Did you verify the email address is not blocked by cPhulk?

    Thank you.
     
  9. zoltanpaszinger

    Joined:
    Mar 12, 2009
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    this is a very nice command, I really like it:)

    Can somebody write me another command line to find which of mailboxes was failed in authentication? thank you!
     
  10. gopkris2005

    gopkris2005 Well-Known Member

    Joined:
    Jan 9, 2007
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    cPanel Access Level:
    Root Administrator
    Twitter:
    Great tip to find out authentication attack..
     
Loading...

Share This Page