IMAP and POP3 authentication constantly fails.

[bitzor]

Hello everybody.

Maybe this is resolved issue but certainly I couldn't find any solutions.

I have a VPS and my clients are having problems with their mail clients (most use Outlook). It ask them repeatedly the password when they try to send or receive mails, and the POP and IMAP services works for around 20 minutes before it fail.

In the lfd log file this messages can be seen over and over from different IP addresses:

May 27 21:01:00 server lfd[3819]: Failed POP3 login from xxx.xxx.xxx.xxx - ignored
May 27 21:01:10 server lfd[3819]: Failed POP3 login from xxx.xxx.xxx.xxx - ignored
May 27 21:02:16 server lfd[3819]: Failed IMAP login from xxx.xxx.xxx.xxx - ignored
May 27 21:02:26 server lfd[3819]: Failed IMAP login from xxx.xxx.xxx.xxx - ignored

Until now, I couldn't stablish a relation between the firewall fail, and the issues with the protocols. Not even with the repeated password asking.

So, what I am requesting here is if anyone has had this problem could advice me on what I have to do or look. Thanks in advance.

 

[cPanelMichael]

Hello

You can first check to see if any of these email accounts have been locked out by cPHulk Brute Force Protection. It's located at:

"WHM Home » Security Center » cPHulk Brute Force Protection"

Look under "Login/Brute History Report" if cPHulk is enabled and see if any of your email accounts have been locked out for excessive failed login attempts.

It's also possible the mail server is running out of available authentication daemons. Does this server use Courier or Dovecot?

Thank you.

 

[bitzor]

Hello.

This VPS uses Dovecot as authentication daemon. It isn't a cPHulk problem because I check it first before to pass to check the logs. That's why I suppose that is a service problem. Furthermore, I raised the values in Authentication Processes and the problem keeps happening.

Thanks for the help.

 

[cPanelMichael]

It's also possible there is a DOS attack on your mail server, and it's using up your available authentication daemons. Try using the following command to see if you notice any IP addresses with a high number of authentication failures:

# awk '/auth failed/ {for (i=1;i<=NF;i=i+1) if ($i~/rip/) print $i}' /var/log/maillog |sort|uniq -c|sort -n| tail

Let us know the result.

Thank you.

 

[bitzor]

Michael. This is the result of the command you gave above:

     48 rip=74.82.85.187,
     50 rip=37.9.53.64,
     53 rip=190.121.238.22,
     54 rip=190.15.174.230,
     55 rip=201.210.50.168,
    105 rip=190.15.173.130,
    117 rip=190.72.211.80,
    123 rip=186.167.16.145,
    197 rip=186.95.101.33,
    951 rip=200.11.142.102,

I would like to know if the numbers before the rip, are the number of connection intents. Thanks again for the help.

 

[cPanelMichael]

That number does represent the number of failed authentication attempts from that IP address. 951 failed attempts does seem to be quite high. I suggest blocking that IP address with your firewall and seeing if the issue continues.

Thank you.

 

[zoltanpaszinger]

Hello

same issue here.

here is the output

20 rip=89.135.145.126,
24 rip=177.189.241.29,
30 rip=194.176.250.84,
30 rip=75.61.35.142,
33 rip=176.74.184.49,
34 rip=41.59.254.243,
52 rip=127.0.0.1,
62 rip=185.10.125.248,
126 rip=89.133.233.93,
333 rip=46.4.102.41,

the problem is: 89.135.145.126 is the user who issued the problem with outlook, his password is good, double checked at webmail

another problem is: 333 rip=46.4.102.41 is the server's itself IP address...

 

[cPanelMichael]

Have you tried increasing the "Maximum Number of Authentication Processes" value in "WHM Home » Service Configuration » Mailserver Configuration"? Did you verify the email address is not blocked by cPhulk?

Thank you.

 

[zoltanpaszinger]

this is a very nice command, I really like it

awk '/auth failed/ {for (i=1;i<=NF;i=i+1) if ($i~/rip/) print $i}' /var/log/maillog |sort|uniq -c|sort -n| tail

Can somebody write me another command line to find which of mailboxes was failed in authentication? thank you!

 

[gopkris2005]

Great tip to find out authentication attack..