[Case 54362] CPHulk vs Dovecot / IMAP

bojan050

December 11, 2013 06:51

Hello, A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'
Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'

I have whitelisted my IP but I still get this errors. Any ideas?

Comments

11 comments

pachiko

December 11, 2013 13:27
[quote="bojan050, post: 1526761">Hello, A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following: Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP' Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'example@example.com' to access service 'mail' from IP 'myIP'
I have whitelisted my IP but I still get this errors. Any ideas?
Hello, can you check your IP address with in cphulk data base using command line.
0
bojan050

December 11, 2013 16:33
[quote="pachiko, post: 1526852">Hello, can you check your IP address with in cphulk data base using command line.
I checked from commandline, My IP adres is listed in the whitelist table, not on the blacklist. The Brutes-table is empty.
0
cPanelMichael

December 11, 2013 17:09
Hello :) Check the "Login/Brute History Report" in "WHM Home " Security Center " cPHulk Brute Force Protection" the next time this happens and see if there are any reports of failed logins for that email account as opposed to just checking for your IP address. Thank you.
0
bojan050

December 11, 2013 18:12
Hi Michael, That's the first place I looked. No entries there. The list is empty.
0
cPanelMichael

December 11, 2013 18:41
I recommend opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.
0
bojan050

December 11, 2013 22:22
Hi, I created a ticket. Number is 4418317. Thanks.
0
cPanelMichael

December 12, 2013 17:28
We were able to reproduce the issue where logins to services fail when the IP address is whitelisted and the account has been locked out by cPhulkd. An internal case is open with our development team to determine if this behavior is by design. For reference, the case number is 54362. I will update this thread with more information as it becomes available. Thank you.
0
tsiedsma

January 01, 2014 15:56
I'm seeing the exact same issue only the IP isn't whitelisted or blacklisted and doesn't show up in the history of cphulk. It's very odd. Has there been any updates to this issue? A customer has complained that they consistently get an error in their email client when connecting via IMAP. I checked the maillog and found this occurring at about the same frequency as they have reported. The odd thing is, the cphulk history, whitelist and blacklist do not contain the IP or account in question. Jan 1 11:20:53 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=265, out=2687, bytes=265/2687 Jan 1 11:22:03 cpsrv12 dovecot: imap-login: Login: user=, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=555629, TLS, session= Jan 1 11:22:05 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=275, out=7862, bytes=275/7862 Jan 1 11:22:53 cpsrv12 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'user@domain.com' to access service 'mail' from IP 'customer_ip' Jan 1 11:22:55 cpsrv12 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=customer_ip, lip=server_ip, TLS, session= Jan 1 11:24:48 cpsrv12 dovecot: imap-login: Login: user=, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556446, TLS, session= Jan 1 11:24:50 cpsrv12 dovecot: imap(user@domain.com): Disconnected: Logged out in=265, out=2687, bytes=265/2687 Jan 1 11:25:07 cpsrv12 dovecot: imap-login: Login: user=, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556980, TLS, session=
According to the customer, the mail client has the password saved. It successfully logs in and then will eventually fail and popup and error "AUTHENTICATION FAILED". The mail client will successfully log in after additional login attempts without changing the password. This is automated, the user is not typing in the credentials incorrectly.
0
cPanelMichael

January 01, 2014 16:46
I went ahead and removed the new thread so you can have the issue handled here. I suggest opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.
0
tsiedsma

January 01, 2014 17:44
Ticket created #4433447
0
cPanelMichael

January 02, 2014 13:51
[quote="tsiedsma, post: 1541372">Ticket created #4433447
To update, it was determined these were aborted login attempts, indicating the client did not complete the login sequence. It was recommended to update the polling interval to at least 5 minutes in the email clients. Thank you.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?