Issues with mail auth fails & mail delivery

[Obble]

Hi.

Hopefully someone can help as I'm lost. I've had my server running for about half a year, in the past few weeks some of my clients have been complaining of getting locked out completely.

As in CSF or cphulk blocks their IP, almost always due to failed IMAP logins
(csf.deny: IPHERE # lfd: (imapd) Failed IMAP login from IPHERE (Moderator Note: removed ip/host): 10 in the last 3600 secs - Wed Jul 31 21:12:29 2019)

Above is the block example. If I unblock, they usually get blocked straight after anyway. I've checked var/log/maillog and found that there's lots of entries like this:
Jul 31 21:10:02 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<EMAILHERE>, method=PLAIN, rip=CLIENTIP, lip=MAILSERVERIP, TLS, session=<removed>


Earlier I was seeing errors like this:

Jul 31 21:04:27 server dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=CLIENTIP, lip=MAILSERVERIP, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<removed>

I made adjustments to SSL minimum protocol for the above (to SSLv3) but I'd prefer to avoid doing this where possible. However I can't see any errors now in relation to this specific one, maybe just coincidence it hasn't popped up yet.




On top of this, recently my emails haven't been delivering from my own email (under cpanel) to only certain clients. Particularly one who definitely uses outlook, said that she didn't receive any emails from me directly or automated by WHMCS -- But sending from a gmail account worked. They didn't pop up in spam either or junk.


Confused really, sorry for the big wall of text and about 3 issues in one. Happy to split them up but didn't want to spam the forums. Thanks in advance.

 

[keat63]

OSX by any chance ?

 

[cPanelLauren]

This looks like the server is no longer accepting SSLv2 connections (this is typically done in favor of TLSv1.2) - the thread here might be helpful for you: SOLVED - Error: Your server does not support the connection encryption type you have specified

 

[Obble]

OSX by any chance ?

I believe this client in particular is on OSX, yes.

This looks like the server is no longer accepting SSLv2 connections (this is typically done in favor of TLSv1.2) - the thread here might be helpful for you: SOLVED - Error: Your server does not support the connecton encryption type you have specified

Hi Lauren, thanks. This issue is still happening regardless of that setting I think. I've reverted to SSLv3, from TLSv1.2. Would TLSv1.0 fix anything do you think? I'm aware there's some increased security risks.

 

[Henry Carter]

Hi Obble,


check /var/log/exim_mainlog logs, if you see any errors like "SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol". The reason for the errors in regards to SSL and TLS is that security was increased on Exim SSL/TLS and ciphers. The issue that occurs from the source email client sending side is that the operating system version and/or email client version used only supports older SSL/TLS versions and ciphers. The absolute best approach is to have the users upgrade their workstations to up to date operating system versions along with up to date email client versions. There is a workaround on the server side but I would like to mention that workaround is not recommended and undoes the security update made to Exim itself.

 

[Obble]

Hi Obble,


check /var/log/exim_mainlog logs, if you see any errors like "SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol". The reason for the errors in regards to SSL and TLS is that security was increased on Exim SSL/TLS and ciphers. The issue that occurs from the source email client sending side is that the operating system version and/or email client version used only supports older SSL/TLS versions and ciphers. The absolute best approach is to have the users upgrade their workstations to up to date operating system versions along with up to date email client versions. There is a workaround on the server side but I would like to mention that workaround is not recommended and undoes the security update made to Exim itself.

Hi Henry.

Thanks for your reply. I haven’t checked just now but when looking into those logs earlier I did see those messages.

What is the workaround here? I know it’s best for users to upgrade their systems but not always practical.

 

[Henry Carter]

Hi Obble,

Log into WHM and go to "Exim Configuration Manager"

Change "Options for OpenSSL" to
+no_sslv2 +no_sslv3

Change "SSL/TLS Cipher Suite List" to
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

then scroll down and click save.

Then for dovecot log into WHM and go to "Service Configuration »Mailserver Configuration"
Under "SSL Cipher List" clear the text box and paste instead

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Next scroll to the bottom of the page and click Save change.

 

[Obble]

Thanks for your help on this Henry. Do you think this would also stop those IP blocks from failed IMAP or SMTP logins? As this allows clients on older systems to connect?

I've made the changes and will keep an eye out for the errors you mentioned to see if they reappear.

 

[Obble]

Still getting errors like this:

dovecot_plain authenticator failed for ([IPv6:::ffff:xxxxx]) [xxxxx]:56815: 535 Incorrect authentication data ([email protected])

And

Aug  5 11:05:37 server dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=xxxxx, lip=xxxxx, mpid=xxxxx, TLS, session=<xxxxx/xxxxx>
Aug  5 11:05:40 server dovecot: imap-login: Disconnected (no auth attempts in 75 secs): user=<>, rip=xxxxx, lip=xxxxx, TLS handshaking: read(size=1017) failed: Connection reset by peer, session=<xxxxx>
Aug  5 11:05:42 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xxxxx, lip=xxxxx, TLS: Connection closed, session=<xxxxx>
Aug  5 11:05:48 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=xxxxx, lip=xxxxx, TLS: Connection closed, session=<xxxxx>

Then the user gets blocked by CSF and sometimes CPHULK and then can't view the site, or do anything.

 

[cPanelLauren]

Feel free to open a ticket using the link in my signature. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!