Skip to main content

imap login: Disconnected / TLS: Connection closed

elson_freitas
Hey guys, I'm having a problem with a client, where CSF catches several disconnected and tls connection closed errors. The client is able to use the email correctly when adding the IP in whitelist. If it is not on the white list, every time the client uses the email the IP is blocked. I thought it was a login and password error, but everything is fine and connected, however, IMAP always generates this error in the log below: Time: Mon Nov 1 10:29:15 2021 -0300 Failures: 10 (imapd) Interval: 3600 seconds Blocked: Permanent Block [LF_IMAPD] Log entries: Nov 1 10:07:16 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:07:23 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:09:57 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:10:04 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:12:37 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:12:44 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:15:18 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session=<1x/H97nPss+z0r+t> Nov 1 10:15:25 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:29:03 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session= Nov 1 10:29:10 venus dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=, lip=, TLS: Connection closed, session=
Please, does anyone have any idea how to solve this problem? Thank you =)

Comments

13 comments

Date Votes
  • cPanelAnthony
    Hello! While we don't support CSF, it looks like the mail client is automatically trying to connect repeatedly, but has incorrect authentication set. Due to the repeated failures, they are getting blocked. To confirm, as soon as you don't have their IP whitelisted, it fails to connect?
    0
  • elson_freitas
    Hello! While we don't support CSF, it looks like the mail client is automatically trying to connect repeatedly, but has incorrect authentication set. Due to the repeated failures, they are getting blocked. To confirm, as soon as you don't have their IP whitelisted, it fails to connect?

    So, the funny thing is that in the logs it appears to be incorrect login, but the client is able to send and receive email correctly on his smartphone. It just fails to use when the server blocks the IP due to these IMAP error logs.
    0
  • quietFinn
    Is it possible that the client has another device that is trying to connect with wrong credentials?
    0
  • cPanelAnthony
    I agree with Finn; can you please confirm whether or not there might be other devices trying to connect?
    0
  • elson_freitas
    Is it possible that the client has another device that is trying to connect with wrong credentials?

    I agree with Finn; can you please confirm whether or not there might be other devices trying to connect?

    He has no other devices connected, just his smartphone. The curious thing is that even working correctly (sending and receiving), this same device triggers the CSF.
    0
  • quietFinn
    CSF is triggered by the errors in /var/log/maillog, and those errors come from dovecot. If you check the file /var/log/maillog you should see also successful logins from that same IP.
    0
  • Vecoen
    I have a similar issue, Igot my client's ip whitelisted yet when he tries to connect it asks again for credentials, we have changed them and copy pasted to login but didn't work, with those copy pasted credentials I can login from my side but from their network, which as I said is whitelisted, I am unable to login to the mailserver
    0
  • quietFinn
    I have a similar issue, Igot my client's ip whitelisted yet when he tries to connect it asks again for credentials, we have changed them and copy pasted to login but didn't work, with those copy pasted credentials I can login from my side but from their network, which as I said is whitelisted, I am unable to login to the mailserver

    What do you see in /var/log/maillog when your client is trying to login?
    0
  • Vecoen
    What do you see in /var/log/maillog when your client is trying to login?

    It was an issue with cphulk blocking the logins as it detected the logins as a brute force attack blacklisting it after the firewall let the comunnication get to the server. After whitelisting the ip the issue was solved, this was logged to /usr/local/cpanel/logs/login_log, which send us to cphulk.
    0
  • kennysamuerto
    I have a similar issue, Igot my client's ip whitelisted yet when he tries to connect it asks again for credentials, we have changed them and copy pasted to login but didn't work, with those copy pasted credentials I can login from my side but from their network, which as I said is whitelisted, I am unable to login to the mailserver

    Could you check if the IP appears in CPHulk? I would say it could be the cause of the problem.
    0
  • Vecoen
    Could you check if the IP appears in CPHulk? I would say it could be the cause of the problem.

    Yes it was, when we sae the error came trhough cphul we looked at it, as it didn't appeared blocked or blacklisted, we whitelisted directly and that resolved the issue.
    0
  • elson_freitas
    The problem persists here. Now affecting other clients from different networks. All those affected are able to access the email, receive and send it for a certain time, until the IP is blocked again by CSF. Adding the IP to the white list was remedying some cases, but there are some that the IP changes all the time, and it is not possible to remedy them. I'm blind, not knowing what I can do to solve the case.
    0
  • quietFinn
    If a client using iPhone/iPad/MacOS is having that kind of problems ask them to switch to Non-SSL settings. We have had such problems with apple devices in particular.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post