Since upgrading a cPanel account to 11.24 and switching from Courier to Dovecot, I'm noticing a variety of entries in /var/log/exim_mainlog that in the past I think would have triggered LFD and caused an IP block. These involve "Incorrect authentication" or "Unable to authenticate" responses.
Attached is a text file with a snippet of entries from our log file.
Jonathon - should (or is there a way for) entries like these to trigger LFD?
Many thanks -
LFD: Additional Dovecot Failure Detection
Reconfirmed the sample entries I posted in first thread are in exim_mainlog.
Did some additional research. The Dovecot behavior in the log files where, after a wrong password is supplied, all subsequent attempts fail with "435 Unable to authenticate at present: authentication socket read error or premature eof" is a known issue in Exim 4.68 (cPanel 11.24.4-R32603).
I found some threads that suggest this has been corrected in Exim 4.70. Does it make any sense to post this on cpanel.net, or do you think they are aware of the issue? Many thx -
Note: As I cannot include a URL due to my number of posts, search Google for the following:
Dovecot-authenticator-always-fails-if-in-first-attempt-wrong-password-is-given-td19453989.html
Did some additional research. The Dovecot behavior in the log files where, after a wrong password is supplied, all subsequent attempts fail with "435 Unable to authenticate at present: authentication socket read error or premature eof" is a known issue in Exim 4.68 (cPanel 11.24.4-R32603).
I found some threads that suggest this has been corrected in Exim 4.70. Does it make any sense to post this on cpanel.net, or do you think they are aware of the issue? Many thx -
Note: As I cannot include a URL due to my number of posts, search Google for the following:
Dovecot-authenticator-always-fails-if-in-first-attempt-wrong-password-is-given-td19453989.html
The regex needs to be updated to handle SMTP login failures for those using Dovecot. After changing to Dovecot these will use the dovecot_login authenticator as found in the exim.conf. Some of the failures in the exim_mainlog will look like:
2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)
2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)
I only just discovered this after a server got pounded with SMTP login failures and LFD wasn't doing a thing about it. I'll have to apply our own fix for now.
2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)
2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)
I only just discovered this after a server got pounded with SMTP login failures and LFD wasn't doing a thing about it. I'll have to apply our own fix for now.