imap login: Disconnected / TLS: Connection closed

Operating System & Version
Centos 7.9
cPanel & WHM Version
98.0.10

elson_freitas

Registered
Apr 28, 2021
4
0
1
Brazil
cPanel Access Level
Root Administrator
Hey guys,

I'm having a problem with a client, where CSF catches several disconnected and tls connection closed errors.

The client is able to use the email correctly when adding the IP in whitelist. If it is not on the white list, every time the client uses the email the IP is blocked.

I thought it was a login and password error, but everything is fine and connected, however, IMAP always generates this error in the log below:

Code:
Time:     Mon Nov  1 10:29:15 2021 -0300
Failures: 10 (imapd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_IMAPD]

Log entries:

Nov  1 10:07:16 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<hmcN27nPyc6z0r+t>
Nov  1 10:07:23 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<L8o327nPDc+z0r+t>
Nov  1 10:09:57 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<rNCg5LnPec+z0r+t>
Nov  1 10:10:04 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<U3PV5LnPgc+z0r+t>
Nov  1 10:12:37 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<CfQ17rnPns+z0r+t>
Nov  1 10:12:44 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<acpi7rnPoc+z0r+t>
Nov  1 10:15:18 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<1x/H97nPss+z0r+t>
Nov  1 10:15:25 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<Okf597nPs8+z0r+t>
Nov  1 10:29:03 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<F4vvKLrP/M+z0r+t>
Nov  1 10:29:10 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<p5AgKbrPANCz0r+t>
Please, does anyone have any idea how to solve this problem?

Thank you =)
 

elson_freitas

Registered
Apr 28, 2021
4
0
1
Brazil
cPanel Access Level
Root Administrator
Hello! While we don't support CSF, it looks like the mail client is automatically trying to connect repeatedly, but has incorrect authentication set. Due to the repeated failures, they are getting blocked. To confirm, as soon as you don't have their IP whitelisted, it fails to connect?
So, the funny thing is that in the logs it appears to be incorrect login, but the client is able to send and receive email correctly on his smartphone. It just fails to use when the server blocks the IP due to these IMAP error logs.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,695
352
438
Finland
cPanel Access Level
Root Administrator
Is it possible that the client has another device that is trying to connect with wrong credentials?
 
  • Like
Reactions: cPanelAnthony

elson_freitas

Registered
Apr 28, 2021
4
0
1
Brazil
cPanel Access Level
Root Administrator
Is it possible that the client has another device that is trying to connect with wrong credentials?
I agree with Finn; can you please confirm whether or not there might be other devices trying to connect?
He has no other devices connected, just his smartphone. The curious thing is that even working correctly (sending and receiving), this same device triggers the CSF.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,695
352
438
Finland
cPanel Access Level
Root Administrator
CSF is triggered by the errors in /var/log/maillog, and those errors come from dovecot.

If you check the file /var/log/maillog you should see also successful logins from that same IP.
 
  • Like
Reactions: cPanelAnthony

Vecoen

Active Member
Oct 4, 2021
31
5
8
Spain
cPanel Access Level
Root Administrator
I have a similar issue, Igot my client's ip whitelisted yet when he tries to connect it asks again for credentials, we have changed them and copy pasted to login but didn't work, with those copy pasted credentials I can login from my side but from their network, which as I said is whitelisted, I am unable to login to the mailserver
 

quietFinn

Well-Known Member
Feb 4, 2006
1,695
352
438
Finland
cPanel Access Level
Root Administrator
I have a similar issue, Igot my client's ip whitelisted yet when he tries to connect it asks again for credentials, we have changed them and copy pasted to login but didn't work, with those copy pasted credentials I can login from my side but from their network, which as I said is whitelisted, I am unable to login to the mailserver
What do you see in /var/log/maillog when your client is trying to login?
 
  • Like
Reactions: Vecoen

Vecoen

Active Member
Oct 4, 2021
31
5
8
Spain
cPanel Access Level
Root Administrator
What do you see in /var/log/maillog when your client is trying to login?
It was an issue with cphulk blocking the logins as it detected the logins as a brute force attack blacklisting it after the firewall let the comunnication get to the server. After whitelisting the ip the issue was solved, this was logged to /usr/local/cpanel/logs/login_log, which send us to cphulk.
 

kennysamuerto

Member
PartnerNOC
May 20, 2009
24
6
53
cPanel Access Level
Root Administrator
I have a similar issue, Igot my client's ip whitelisted yet when he tries to connect it asks again for credentials, we have changed them and copy pasted to login but didn't work, with those copy pasted credentials I can login from my side but from their network, which as I said is whitelisted, I am unable to login to the mailserver
Could you check if the IP appears in CPHulk? I would say it could be the cause of the problem.
 
  • Like
Reactions: Vecoen

elson_freitas

Registered
Apr 28, 2021
4
0
1
Brazil
cPanel Access Level
Root Administrator
The problem persists here. Now affecting other clients from different networks.

All those affected are able to access the email, receive and send it for a certain time, until the IP is blocked again by CSF.

Adding the IP to the white list was remedying some cases, but there are some that the IP changes all the time, and it is not possible to remedy them.

I'm blind, not knowing what I can do to solve the case.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,695
352
438
Finland
cPanel Access Level
Root Administrator
If a client using iPhone/iPad/MacOS is having that kind of problems ask them to switch to Non-SSL settings.
We have had such problems with apple devices in particular.
 
  • Like
Reactions: cPanelAnthony