maillog - any tips for maillog showing continual login and then instant logout from end user?

[martin MHC]

A current email user is having some issues they can't seem to log in to their emails.

Checking the various /var/log files comes up with maillog showing lots and lots of these:

/var/logs/maillog

Apr 14 13:37:37 servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=13659, secured, session=<CTYpG0v5ZucAAAAAAAAAABCDEAAAAAAB>
Apr 14 13:37:37 servername dovecot: imap([email protected])<13659><CTYpG0v5ZucAAAAAAAAAABCDEAAAAAAB>: Disconnected: Logged out in=510, out=111168, bytes=510/111168

This happens continually for up to 60 seconds at a time, continually successfully logging in and then immediately logging out.

Is there any likely factors at their end that can be causing this?

I have also checked exim_maillog and panic_log and exim_rejectlog none of which seem to show anything relevant to this issue.

 

[quietFinn]

So this user has problems with webmail?
"rip=::1" tells that those are webmail logins.

 

[martin MHC]

So this user has problems with webmail?
"rip=::1" tells that those are webmail logins.

That's interesting. I don't believe the user is using webmail, but will get confirmation from them shortly for what email client they're actually using.

 

[cPRex]

That's completely normal behavior for that log as every connection is very brief and *every* action makes a new connection. Here is what I see just from clicking the "Check email" button inside cPanel on my personal system:

Apr 14 10:57:34 host dovecot[1711657]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=2595171, secured, session=<9Oy0D035fq4AAAAAAAAAAAAAAAAAAAAB>
Apr 14 10:57:34 host dovecot[1711657]: imap([email protected])<2595171><9Oy0D035fq4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=82, out=937, bytes=82/937
Apr 14 10:57:35 host dovecot[1711657]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=2595172, secured, session=<Woq3D035gK4AAAAAAAAAAAAAAAAAAAAB>
Apr 14 10:57:35 host dovecot[1711657]: imap(cptes[email protected])<2595172><Woq3D035gK4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=129, out=1013, bytes=129/1013
Apr 14 10:57:35 host dovecot[1711657]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=2595186, secured, session=<GLnBD035iK4AAAAAAAAAAAAAAAAAAAAB>
Apr 14 10:57:35 host dovecot[1711657]: imap([email protected])<2595186><GLnBD035iK4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=405, out=1515, bytes=405/1515
Apr 14 10:57:35 host dovecot[1711657]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=2595187, secured, session=<krrCD035kK4AAAAAAAAAAAAAAAAAAAAB>
Apr 14 10:57:35 host dovecot[1711657]: imap([email protected])<2595187><krrCD035kK4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=427, out=40055, bytes=427/40055

 

[martin MHC]

@quietFinn yes it turns out the client was using webmail roundcube and it also turns out that they have access now and all is ok so it seems to be one of those phantom errors that has evaporated upon investigation.

@cPRex , thanks, I hadn't realised that these mailer processes were so prolific.