LFD: Additional Dovecot Failure Detection

Post Reply
RickG
Junior Member
Posts: 7
Joined: 01 Oct 2008, 20:29

LFD: Additional Dovecot Failure Detection

Post by RickG »

Since upgrading a cPanel account to 11.24 and switching from Courier to Dovecot, I'm noticing a variety of entries in /var/log/exim_mainlog that in the past I think would have triggered LFD and caused an IP block. These involve "Incorrect authentication" or "Unable to authenticate" responses.

Attached is a text file with a snippet of entries from our log file.

Jonathon - should (or is there a way for) entries like these to trigger LFD?

Many thanks -
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Are these in exim_mainlog or /var/log/maillog? lfd checks the POP3D_LOG setting for such failures which ought to be logging to /var/log/maillog. If not, you may need to change that setting.
RickG
Junior Member
Posts: 7
Joined: 01 Oct 2008, 20:29

Post by RickG »

Reconfirmed the sample entries I posted in first thread are in exim_mainlog.

Did some additional research. The Dovecot behavior in the log files where, after a wrong password is supplied, all subsequent attempts fail with "435 Unable to authenticate at present: authentication socket read error or premature eof" is a known issue in Exim 4.68 (cPanel 11.24.4-R32603).

I found some threads that suggest this has been corrected in Exim 4.70. Does it make any sense to post this on cpanel.net, or do you think they are aware of the issue? Many thx -

Note: As I cannot include a URL due to my number of posts, search Google for the following:
Dovecot-authenticator-always-fails-if-in-first-attempt-wrong-password-is-given-td19453989.html
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

I'd suggest that you log it with cPanel on bugzilla.cpanel.net with all the technical information so that they can investigate it.
andrewt
Junior Member
Posts: 2
Joined: 07 Aug 2009, 21:38

Post by andrewt »

The regex needs to be updated to handle SMTP login failures for those using Dovecot. After changing to Dovecot these will use the dovecot_login authenticator as found in the exim.conf. Some of the failures in the exim_mainlog will look like:

2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)
2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)

I only just discovered this after a server got pounded with SMTP login failures and LFD wasn't doing a thing about it. I'll have to apply our own fix for now.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

There will be an extended dovecot regex in the next csf release.
andrewt
Junior Member
Posts: 2
Joined: 07 Aug 2009, 21:38

Post by andrewt »

BTW, the latest version does not fix this.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

I'll add it to the dev list to look into.
Post Reply