Issues with mail auth fails & mail delivery

Obble

Member
Feb 12, 2019
6
0
1
australia
cPanel Access Level
Root Administrator
Hi.

Hopefully someone can help as I'm lost. I've had my server running for about half a year, in the past few weeks some of my clients have been complaining of getting locked out completely.

As in CSF or cphulk blocks their IP, almost always due to failed IMAP logins
(csf.deny: IPHERE # lfd: (imapd) Failed IMAP login from IPHERE (Moderator Note: removed ip/host): 10 in the last 3600 secs - Wed Jul 31 21:12:29 2019)

Above is the block example. If I unblock, they usually get blocked straight after anyway. I've checked var/log/maillog and found that there's lots of entries like this:
Jul 31 21:10:02 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<EMAILHERE>, method=PLAIN, rip=CLIENTIP, lip=MAILSERVERIP, TLS, session=<removed>


Earlier I was seeing errors like this:
Code:
Jul 31 21:04:27 server dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=CLIENTIP, lip=MAILSERVERIP, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<removed>
I made adjustments to SSL minimum protocol for the above (to SSLv3) but I'd prefer to avoid doing this where possible. However I can't see any errors now in relation to this specific one, maybe just coincidence it hasn't popped up yet.




On top of this, recently my emails haven't been delivering from my own email (under cpanel) to only certain clients. Particularly one who definitely uses outlook, said that she didn't receive any emails from me directly or automated by WHMCS -- But sending from a gmail account worked. They didn't pop up in spam either or junk.


Confused really, sorry for the big wall of text and about 3 issues in one. Happy to split them up but didn't want to spam the forums. Thanks in advance.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston

Obble

Member
Feb 12, 2019
6
0
1
australia
cPanel Access Level
Root Administrator
OSX by any chance ?
I believe this client in particular is on OSX, yes.


This looks like the server is no longer accepting SSLv2 connections (this is typically done in favor of TLSv1.2) - the thread here might be helpful for you: SOLVED - Error: Your server does not support the connecton encryption type you have specified
Hi Lauren, thanks. This issue is still happening regardless of that setting I think. I've reverted to SSLv3, from TLSv1.2. Would TLSv1.0 fix anything do you think? I'm aware there's some increased security risks.
 

Henry Carter

Active Member
Jul 31, 2019
35
6
8
India
cPanel Access Level
Website Owner
Hi Obble,


check /var/log/exim_mainlog logs, if you see any errors like "SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol". The reason for the errors in regards to SSL and TLS is that security was increased on Exim SSL/TLS and ciphers. The issue that occurs from the source email client sending side is that the operating system version and/or email client version used only supports older SSL/TLS versions and ciphers. The absolute best approach is to have the users upgrade their workstations to up to date operating system versions along with up to date email client versions. There is a workaround on the server side but I would like to mention that workaround is not recommended and undoes the security update made to Exim itself.
 

Obble

Member
Feb 12, 2019
6
0
1
australia
cPanel Access Level
Root Administrator
Hi Obble,


check /var/log/exim_mainlog logs, if you see any errors like "SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol". The reason for the errors in regards to SSL and TLS is that security was increased on Exim SSL/TLS and ciphers. The issue that occurs from the source email client sending side is that the operating system version and/or email client version used only supports older SSL/TLS versions and ciphers. The absolute best approach is to have the users upgrade their workstations to up to date operating system versions along with up to date email client versions. There is a workaround on the server side but I would like to mention that workaround is not recommended and undoes the security update made to Exim itself.
Hi Henry.

Thanks for your reply. I haven’t checked just now but when looking into those logs earlier I did see those messages.

What is the workaround here? I know it’s best for users to upgrade their systems but not always practical.
 

Henry Carter

Active Member
Jul 31, 2019
35
6
8
India
cPanel Access Level
Website Owner
Hi Obble,

Log into WHM and go to "Exim Configuration Manager"

Change "Options for OpenSSL" to
+no_sslv2 +no_sslv3

Change "SSL/TLS Cipher Suite List" to
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

then scroll down and click save.

Then for dovecot log into WHM and go to "Service Configuration »Mailserver Configuration"
Under "SSL Cipher List" clear the text box and paste instead

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Next scroll to the bottom of the page and click Save change.
 

Obble

Member
Feb 12, 2019
6
0
1
australia
cPanel Access Level
Root Administrator
Thanks for your help on this Henry. Do you think this would also stop those IP blocks from failed IMAP or SMTP logins? As this allows clients on older systems to connect?

I've made the changes and will keep an eye out for the errors you mentioned to see if they reappear.
 
Last edited by a moderator:

Obble

Member
Feb 12, 2019
6
0
1
australia
cPanel Access Level
Root Administrator
Still getting errors like this:
Code:
dovecot_plain authenticator failed for ([IPv6:::ffff:xxxxx]) [xxxxx]:56815: 535 Incorrect authentication data ([email protected])
And

Code:
Aug  5 11:05:37 server dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=xxxxx, lip=xxxxx, mpid=xxxxx, TLS, session=<xxxxx/xxxxx>
Aug  5 11:05:40 server dovecot: imap-login: Disconnected (no auth attempts in 75 secs): user=<>, rip=xxxxx, lip=xxxxx, TLS handshaking: read(size=1017) failed: Connection reset by peer, session=<xxxxx>
Aug  5 11:05:42 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xxxxx, lip=xxxxx, TLS: Connection closed, session=<xxxxx>
Aug  5 11:05:48 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=xxxxx, lip=xxxxx, TLS: Connection closed, session=<xxxxx>

Then the user gets blocked by CSF and sometimes CPHULK and then can't view the site, or do anything.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Feel free to open a ticket using the link in my signature. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!