Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Windows live mail POP3 Login Failures

Discussion in 'E-mail Discussion' started by keat63, May 24, 2018.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Title should say POP3 Login Failures

    All my email users use client software (generally outlook), with POP3 or IMAP.
    As you are aware, outlook stores the username and password.
    None of my email users know or really need to know thier username/password, as log in is fixed.


    So I have CSF configured to a single authentication failure and your IP is blocked, unless youre in the office which is whitelisted anyway.

    I have one remote user who uses Windows Live Mail as installed as standard in Windows 7.
    From this user, I'm seeing POP3 Login failures and then a subsequent lock out.

    I brought the laptop in to my office, which is whitelisted, I changed the password on the account and successfully received and sent numerous emails to and from that account.

    However, when that user went home, I saw POP3 login errors again which resulted in another lockout.

    Does windows live mail do something different when logging in to exim.

    xxx.xxx.xxx.xxx # lfd: (pop3d) Failed POP3 login from xxx.xxx.xxx.xxx: 1 in the last 3600 secs - Wed May 23 20:31:55 2018
     
    #1 keat63, May 24, 2018
    Last edited: May 24, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    It shouldn't be doing something different. Do you have cPhulk enabled on the server? I am curious if somehow they got blocked there first.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    A slight update on this.

    User now tells me that she is seeing a message from Live Mail that the country is blacklisted.
    I've no idea where this is coming from unless CPHulk is sending some sort of message ?

    I do have CPHulk applied, and for every country barring the UK, however, there are currently no entries in the blacklist.

    I can see the user trying again last night.

    2018-05-24 22:09:16 dovecot_login authenticator failed for xxx.xxx.xxx.xxx.dyn.plus.net (AnnePC) [xxx.xxx.xxx.xxx]:50333: 535 Incorrect authentication data (set_id=anne@xxxxxxxxxxx.co.uk)

    Yet I know that the authentication data is correct, as I reset it and succesfully sent/recieved emails to and from the account using the windows live mail app.

    I think my next step is to install thunderbird or outlook.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Code:
    I do have CPHulk applied, and for every country barring the UK, however, there are currently no entries in the blacklist.
    
    Can you clarify this, are you saying you have every country besides the UK blocked?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    That and Thailand which is where my boss is at the moment.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm wondering if Windows Live Mail is maybe proxied somehow through Microsoft servers ?
    However, this is only a wild guess.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    It might be that the IP being used by Live mail is an IP that is assigned to something other than the UK or Thailand. Can you disable Country Code blocking temporarily to see if she continues to experience issues?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    something odd that i'm struggling to get my head around.

    Last night (Ip only partially obfuscated)
    With CPHULK enabled.

    2018-05-24 22:09:16 dovecot_login authenticator failed for xxx.xxx.199.146.dyn.plus.net (AnnePC) [146.199.xxx.xxx]:50333: 535 Incorrect authentication data (set_id=anne@xxxxxxxxxxx.co.uk)

    The 146. IP resolves to the UK.

    Just now. (Dynamic IP must have changed)
    With CPHULK disabled.

    2018-05-25 14:03:17 1fMCNJ-0001hh-7e <= anne@xxxxxxx.co.uk H=(AnnePC) [83.216.xxx.xxx]:49198 P=esmtpa A=dovecot_login:anne@xxxxxx.co.uk S=1231 id=0D3A400DBFB2414AAEF51AE393ECD5B9@AnnePC T="" for keat@xxxx.com

    83. IP resolves to UK

    CPHulk re-enabled and she can still log in ok.

    After numerous logins/outs, it seems that the user is working again.
    It obviously has something to do with the 146 IP address, maybe CPHULK not resolving this to the UK.
    However, why would CPHULK create a login auth error.
    The login auth error then resulting in a CSF block ???

    Nothing regarding the log in data on the user account or PC has changed since about Tuesday, and the user does not input this manually so I can rulle out a typo or user error.
     
    #8 keat63, May 25, 2018
    Last edited: May 25, 2018
  9. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    Do you have any CC blocking enabled through CSF? Also, do you see anything listed in the cPHulkd logs that reference that IP?

    Code:
    /usr/local/cpanel/logs/cphulkd.log
    /usr/local/cpanel/logs/cphulkd_errors.log
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I do have CC blocking in CSF also yes.

    [2018-05-24 22:09:14 +0100] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[xxx.xxx.xxx.xxx] [Remote IP Address]=[146.199.xxx.xxx] [Authentication Database]=[mail] [Username]=[anne@xxxxxxx.co.uk]

    I dont see anything in the error log for the IP or time stamp.
     
    #10 keat63, May 25, 2018
    Last edited: May 25, 2018
  11. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    This does look like cPHulk is doing it based on the country code since I can't see the IP would it be possible for you to open a ticket. I believe further investigation needs to be done for that IP or range to determine if it's reporting a false positive - if it is we need to open an internal case about it.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm out of the office now until mid week, so I wouldn't be able to open up access until then. I suspect any logs will have expired by then.
    Maybe if it happens again. ??
     
  13. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63


    That sounds good, if it does happen again!

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,037
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    This problem came back.
    Windows 2012 Live Mail, configured and working from a known whitelisted IP.
    And worked for a short while on a none whitelisted IP.

    Then about 2 weeks ago, the user reported that it stopped working again.
    This morning, I tried to download emails using her LiveMail client, but this was reporting server connection issues.

    Now bear in mind, that I've made no changes to the PC for a few weeks and the end user wouldn't know where to make any significant email config changes, it works on a whitelisted IP from country whos not restricted in CPHULK.

    I disabled LiveMail and installed Outlook.
    No other changes.
    Outlook downloaded 68 emails without issue.
    Nothing changed other than the client email software.

    I'm convinced that LiveMail is being proxied via Microsoft or something similar, and that CPHULK is blocking access.
    CPHULK detecting that the connection is coming in from the USA maybe.

    Here is the log entry from me logging in using outlook.

    Jun 17 12:33:14 dovecot: pop3-login: Login: user=<anne@xxxxx.co.uk>, method=PLAIN, rip=xx.xx.xx.xx, lip=xxx.xxx.xxx.xxx, mpid=29671, session=<P4SP0NRuTsBT2J5U>

    No entries of me trying to log in using LiveMail 20 minutes earler though, which I guess shows that CPHULK was blocking it.
     
    #14 keat63, Jun 18, 2018
    Last edited: Jun 18, 2018
  15. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    276
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    Please open a ticket using the link in my signature in regard to this issue so that we can look further into it for you. Please let me know the ticket ID once it's open and I'll follow up here with the outcome of the ticket.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice