[Case 54362] CPHulk vs Dovecot / IMAP

[bojan050]

Hello,

A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'
Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'

I have whitelisted my IP but I still get this errors. Any ideas?

 

[pachiko]

Hello,

A few times a day my e-mailclient (Outlook / IPad Mail) throws an authentication error. When I look in the mail-log I see the following:

Dec 11 13:32:28 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'
Dec 11 13:32:29 srv1 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'myIP'

I have whitelisted my IP but I still get this errors. Any ideas?

Hello,
can you check your IP address with in cphulk data base using command line.

 

[bojan050]

Hello,
can you check your IP address with in cphulk data base using command line.

I checked from commandline, My IP adres is listed in the whitelist table, not on the blacklist. The Brutes-table is empty.

 

[cPanelMichael]

Hello

Check the "Login/Brute History Report" in "WHM Home » Security Center » cPHulk Brute Force Protection" the next time this happens and see if there are any reports of failed logins for that email account as opposed to just checking for your IP address.

Thank you.

 

[bojan050]

Hi Michael,

That's the first place I looked. No entries there. The list is empty.

 

[cPanelMichael]

I recommend opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[bojan050]

Hi,

I created a ticket. Number is 4418317.

Thanks.

 

[cPanelMichael]

We were able to reproduce the issue where logins to services fail when the IP address is whitelisted and the account has been locked out by cPhulkd. An internal case is open with our development team to determine if this behavior is by design. For reference, the case number is 54362. I will update this thread with more information as it becomes available.

Thank you.

 

[tsiedsma]

I'm seeing the exact same issue only the IP isn't whitelisted or blacklisted and doesn't show up in the history of cphulk. It's very odd. Has there been any updates to this issue? A customer has complained that they consistently get an error in their email client when connecting via IMAP.

I checked the maillog and found this occurring at about the same frequency as they have reported. The odd thing is, the cphulk history, whitelist and blacklist do not contain the IP or account in question.

Jan  1 11:20:53 cpsrv12 dovecot: imap([email protected]): Disconnected: Logged out in=265, out=2687, bytes=265/2687
Jan  1 11:22:03 cpsrv12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=555629, TLS, session=<RFqxE+vuaQBQbAES>
Jan  1 11:22:05 cpsrv12 dovecot: imap([email protected]): Disconnected: Logged out in=275, out=7862, bytes=275/7862
Jan  1 11:22:53 cpsrv12 dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP 'customer_ip'
Jan  1 11:22:55 cpsrv12 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, TLS, session=<iHeJFuvupgBQbAES>
Jan  1 11:24:48 cpsrv12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556446, TLS, session=<OUuXHevuKABQbAES>
Jan  1 11:24:50 cpsrv12 dovecot: imap([email protected]): Disconnected: Logged out in=265, out=2687, bytes=265/2687
Jan  1 11:25:07 cpsrv12 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=customer_ip, lip=server_ip, mpid=556980, TLS, session=<hXS8HuvuSgBQbAES>

According to the customer, the mail client has the password saved. It successfully logs in and then will eventually fail and popup and error "AUTHENTICATION FAILED". The mail client will successfully log in after additional login attempts without changing the password.

This is automated, the user is not typing in the credentials incorrectly.

 

[cPanelMichael]

I went ahead and removed the new thread so you can have the issue handled here. I suggest opening a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[tsiedsma]

Ticket created #4433447

 

[cPanelMichael]

Ticket created #4433447

To update, it was determined these were aborted login attempts, indicating the client did not complete the login sequence. It was recommended to update the polling interval to at least 5 minutes in the email clients.

Thank you.