Windows live mail POP3 Login Failures

keat63

• May 24, 2018 02:13

Title should say POP3 Login Failures All my email users use client software (generally outlook), with POP3 or IMAP. As you are aware, outlook stores the username and password. None of my email users know or really need to know thier username/password, as log in is fixed. So I have CSF configured to a single authentication failure and your IP is blocked, unless youre in the office which is whitelisted anyway. I have one remote user who uses Windows Live Mail as installed as standard in Windows 7. From this user, I'm seeing POP3 Login failures and then a subsequent lock out. I brought the laptop in to my office, which is whitelisted, I changed the password on the account and successfully received and sent numerous emails to and from that account. However, when that user went home, I saw POP3 login errors again which resulted in another lockout. Does windows live mail do something different when logging in to exim. xxx.xxx.xxx.xxx # lfd: (pop3d) Failed POP3 login from xxx.xxx.xxx.xxx: 1 in the last 3600 secs - Wed May 23 20:31:55 2018

• 

  cPanelLauren

  • May 24, 2018 17:11

  Hi @keat63 It shouldn't be doing something different. Do you have cPhulk enabled on the server? I am curious if somehow they got blocked there first. Thanks!

  0
• 

  keat63

  • May 25, 2018 07:03

  A slight update on this. User now tells me that she is seeing a message from Live Mail that the country is blacklisted. I've no idea where this is coming from unless CPHulk is sending some sort of message ? I do have CPHulk applied, and for every country barring the UK, however, there are currently no entries in the blacklist. I can see the user trying again last night. 2018-05-24 22:09:16 dovecot_login authenticator failed for xxx.xxx.xxx.xxx.dyn.plus.net (AnnePC) [xxx.xxx.xxx.xxx]:50333: 535 Incorrect authentication data (set_id=anne@xxxxxxxxxxx.co.uk) Yet I know that the authentication data is correct, as I reset it and succesfully sent/recieved emails to and from the account using the windows live mail app. I think my next step is to install thunderbird or outlook.

  0
• 

  cPanelLauren

  • May 25, 2018 12:44

  I do have CPHulk applied, and for every country barring the UK, however, there are currently no entries in the blacklist.
  Can you clarify this, are you saying you have every country besides the UK blocked?

  0
• 

  keat63

  • May 25, 2018 12:47

  That and Thailand which is where my boss is at the moment.

  0
• 

  keat63

  • May 25, 2018 12:50

  I'm wondering if Windows Live Mail is maybe proxied somehow through Microsoft servers ? However, this is only a wild guess.

  0
• 

  cPanelLauren

  • May 25, 2018 12:52

  Hi @keat63 It might be that the IP being used by Live mail is an IP that is assigned to something other than the UK or Thailand. Can you disable Country Code blocking temporarily to see if she continues to experience issues? Thanks!

  0
• 

  keat63

  • May 25, 2018 13:26

  something odd that i'm struggling to get my head around. Last night (Ip only partially obfuscated) With CPHULK enabled. 2018-05-24 22:09:16 dovecot_login authenticator failed for xxx.xxx.199.146.dyn.plus.net (AnnePC) [146.199.xxx.xxx]:50333: 535 Incorrect authentication data (set_id=anne@xxxxxxxxxxx.co.uk) The 146. IP resolves to the UK. Just now. (Dynamic IP must have changed) With CPHULK disabled. 2018-05-25 14:03:17 1fMCNJ-0001hh-7e <= anne@xxxxxxx.co.uk H=(AnnePC) [83.216.xxx.xxx]:49198 P=esmtpa A=dovecot_login:anne@xxxxxx.co.uk S=1231 id=0D3A400DBFB2414AAEF51AE393ECD5B9@AnnePC T="" for keat@xxxx.com 83. IP resolves to UK CPHulk re-enabled and she can still log in ok. After numerous logins/outs, it seems that the user is working again. It obviously has something to do with the 146 IP address, maybe CPHULK not resolving this to the UK. However, why would CPHULK create a login auth error. The login auth error then resulting in a CSF block ??? Nothing regarding the log in data on the user account or PC has changed since about Tuesday, and the user does not input this manually so I can rulle out a typo or user error.

  0
• 

  cPanelLauren

  • May 25, 2018 14:35

  Hi @keat63 Do you have any CC blocking enabled through CSF? Also, do you see anything listed in the cPHulkd logs that reference that IP? /usr/local/cpanel/logs/cphulkd.log /usr/local/cpanel/logs/cphulkd_errors.log
  

  0
• 

  keat63

  • May 25, 2018 14:55

  I do have CC blocking in CSF also yes. [2018-05-24 22:09:14 +0100] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[xxx.xxx.xxx.xxx] [Remote IP Address]=[146.199.xxx.xxx] [Authentication Database]=[mail] [Username]=[anne@xxxxxxx.co.uk] I dont see anything in the error log for the IP or time stamp.

  0
• 

  cPanelLauren

  • May 25, 2018 15:13

  This does look like cPHulk is doing it based on the country code since I can't see the IP would it be possible for you to open a ticket. I believe further investigation needs to be done for that IP or range to determine if it's reporting a false positive - if it is we need to open an internal case about it. Thanks!

  0
• 

  keat63

  • May 25, 2018 19:24

  I'm out of the office now until mid week, so I wouldn't be able to open up access until then. I suspect any logs will have expired by then. Maybe if it happens again. ??

  0
• 

  cPanelLauren

  • May 25, 2018 19:44

  Hi @keat63 That sounds good, if it does happen again! Thanks!

  0
• 

  keat63

  • June 18, 2018 11:11

  This problem came back. Windows 2012 Live Mail, configured and working from a known whitelisted IP. And worked for a short while on a none whitelisted IP. Then about 2 weeks ago, the user reported that it stopped working again. This morning, I tried to download emails using her LiveMail client, but this was reporting server connection issues. Now bear in mind, that I've made no changes to the PC for a few weeks and the end user wouldn't know where to make any significant email config changes, it works on a whitelisted IP from country whos not restricted in CPHULK. I disabled LiveMail and installed Outlook. No other changes. Outlook downloaded 68 emails without issue. Nothing changed other than the client email software. I'm convinced that LiveMail is being proxied via Microsoft or something similar, and that CPHULK is blocking access. CPHULK detecting that the connection is coming in from the USA maybe. Here is the log entry from me logging in using outlook. Jun 17 12:33:14 dovecot: pop3-login: Login: user=, method=PLAIN, rip=xx.xx.xx.xx, lip=xxx.xxx.xxx.xxx, mpid=29671, session= No entries of me trying to log in using LiveMail 20 minutes earler though, which I guess shows that CPHULK was blocking it.

  0
• 

  cPanelLauren

  • June 18, 2018 14:04

  Hi @keat63 Please open a ticket using the link in my signature in regard to this issue so that we can look further into it for you. Please let me know the ticket ID once it's open and I'll follow up here with the outcome of the ticket. Thanks!

  0

Please sign in to leave a comment.