email users can't access the server from cell phones...

IISG

• November 17, 2015 20:35

Hello, I have a strange problem where users are being blocked from email in a few cases from their desktops, but it appears to happen more from wireless carrier networks. I do not have user blocking enabled in cphulk, so it can be blocked from ip. Whats not making sense is I don't see the user talking to the server, they get bad password, which we know could simply be not talking to the server. We are on a solid network and servers have had zero down time. When I look at cphulk history, it's not showing me that the users from that domain ( since sometimes they are in the same office and IP ) are failing passwords, I'm not seeing their ip blocked but yet users are 100% not communicating to the server. A few times I have reset by clicking remove blocks and remove reports to get a clean slate, but the users still cant communicate. Since this comes and goes over the week, it's tough to catch it. Any suggestions as to where I can look not only from a log perspective but maybe my settings may be wrong and I'm causing the problem without realizing it. Thanks!

• 

  24x7server

  • November 18, 2015 10:49

  Are you using CSF firewall on your server ? If yes, then please check your client IP in csf firewall and remove that if it's blocked in server firewall. Check your IP in CSF
  csf -g IP
  Remove IP from CSF deny list.
  csf -dr IP
  

  0
• 

  cPanelMichael

  • November 19, 2015 14:14

  Hello :) You can also search /var/log/maillog for the IP address to find specific reasons for the login failures. Thank you.

  0
• 

  IISG

  • December 04, 2015 08:59

  Sorry for the delay, I didn't get notified. I'm not running CSF since cphulk is installed by default. I'm running WHM 11.52.1 (build 3). I'll have to setup an account and test it to find the proper log file entries. The part that doesn't make sense is that it has happened in different ways, as an example a user checks email while on wifi in their office, then turns off wifi and they get blocked, go back to wifi and all is good.

  0
• 

  IISG

  • December 04, 2015 09:39

  OK I did some testing and well, it makes less sense. I logged in on a wifi connection, checked email fine, then switched to cellular and instant failure. Got this from the logs: Dec 4 05:09:51 meteor dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'MyEmail@MyDomain.com' to access service 'mail' from IP '172.56.4.133' Dec 4 05:09:54 meteor dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 3 secs): user=, method=PLAIN, rip=172.56.4.133, lip=22.137.118.13, session= email address and my server address are modified but failure address (tmobile) is not. I then look via iptables-save the email address is NOT listed. I then look in cphulk and it doesn't find the ip anywhere in any of the block types. I cleared blocks in cphulk, cleared iptables, i then rebooted box just for fun and first attempt exactly the same. No user failed login information in cphulk.

  0
• 

  IISG

  • December 04, 2015 09:52

  Sorry, one more note if I turn of cphulk, mail flows just fine. I turn it back on and at the moment it works, but am I missing something as to how cphulk blocks ip addresses? Does it not block via iptables? Thanks...

  0
• 

  cPanelMichael

  • December 04, 2015 14:07

  I then look in cphulk and it doesn't find the ip anywhere in any of the block types.

  
  The output you provided suggests the email account username, and not the IP address, was blocked. You can disable "Username-based Protection" if you only want "IP-based Protection" enabled via "WHM Home >> Security Center >> cPHulk Brute Force Protection". Thank you.

  0
• 

  IISG

  • December 05, 2015 03:00

  I have user based protection off. That was the first thing I checked. Just for reference even if it was on, that user should NOT have been blocked on the first attempt to check mail with valid credentials.

  0
• 

  cPanelMichael

  • December 07, 2015 13:16

  Could you review /usr/local/cpanel/logs/cphulkd.log the next time this happens to see the cPHulk activity that's occurring at the same time as the failed login attempt? Thank you.

  0
• 

  IISG

  • December 15, 2015 11:54

  Sorry for the delay, I never got notified. So I tested and on the first try did get locked out just like before which makes no sense at first. [2015-12-15 07:41:21 -0500] info [cphulkd] 812 Login Blocked: The IP address is blacklisted. [Service]=[pop3] [Local IP Address]=[x.x.x.x] [Remote IP Address]=[172.56.26.249] [Authentication Database]=[pop3] [Username]=[jUSER@Domain.net] The only entries in the cphulk log for the offending IP are mine from the test. However, I look in history with no luck, I do see blocked IP's showing: 172.56.0.0-172.56.255.255 Thats a HUGE block of IP's to be blocked, why such a broad stroke? Also, when I search for ip's in the 172.56.x.x I do see from the beginning of December to now 692 entries in cphulk.log Given that there are literally millions of T-Mobile users, I can see it happening but we have a small amount of users and yes, I'm sure some of them are putting in bad passwords but short of whitelisting all of T-Mobile's IP's, what can I do? Thanks!

  0
• 

  cPanelMichael

  • December 15, 2015 18:29

  Thats a HUGE block of IP's to be blocked, why such a broad stroke?

  
  This is not configured by default. Have you considered removing that range of IP addresses from the blacklist? Thank you.

  0

Please sign in to leave a comment.