Page 1 of 1

dovecot login failures not being caught with cPanel/WHM 100

Posted: 02 Nov 2021, 11:58
by philh
Since upgrading to cPanel/WHM version 100, some (all?) dovecot login failures are no longer being caught by lfd. It appears that the log entries have changed eg

Code: Select all

<date> vps dovecot: imap-login: Aborted login (auth failed, 2 attempts in 17 secs): 
has become:

Code: Select all

<date> vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 11 secs):
There is a reference to this in the dovecot release notes [1] for v2.3.15 2021-06-21

dovecot is v2.3.15 with cPanel 100.

[1] https://dovecot.org/doc/NEWS

Re: dovecot login failures not being caught with cPanel/WHM 100

Posted: 08 Nov 2021, 17:31
by ForumAdmin
This should be resolved in v14.12 which has just been released:
https://blog.configserver.com/

Re: dovecot login failures not being caught with cPanel/WHM 100

Posted: 09 Nov 2021, 10:45
by philh
Hi

Thanks for the update. However all login failures are still not being caught. I think there are two problems in the new regex:

1. It does not capture login failures with "Disconnected: Connection closed (auth failed...". (These would previously have just been "Disconnected: (auth failed...). Example entry:

Code: Select all

Nov  9 08:49:04 vps dovecot: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 2 secs): user=<user@example.com>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS: Connection closed, session=<xDz3BfjQrZZcz08I>
2. There appears to be an error in the regex after the "(method=\S+, )?" capture group - there is an extra ", ".

The following amended regex (for imap) works:

Code: Select all

^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: (Disconnected: )?(Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=

Re: dovecot login failures not being caught with cPanel/WHM 100

Posted: 19 Nov 2021, 14:27
by jw47
I am experiencing the same issue on csf v14.12, directly installed on a Debian 10 server without any control panel.
Also Dovecot 2.3.17 (e2aa53df5b) errors not being recognized by csf.

Code: Select all

Nov 19 15:19:33 mailer dovecot: auth: passwd-file(user@example.com,1.2.3.4,<cdnK9iTRiuFN+rPK>): Password mismatch
Nov 19 15:21:23 mailer dovecot: submission-login: Disconnected: Connection closed (auth failed, 2 attempts in 110 secs): user=<user@example.com>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<cdnK9iTRiuFN+rPK>
I hope this helps some in locating the issue at hand?