ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

LFD: Additional Dovecot Failure Detection

https://mail.forum.configserver.com/viewtopic.php?t=1991

Page 1 of 1

LFD: Additional Dovecot Failure Detection

Posted: 29 Dec 2008, 13:13
by RickG
Since upgrading a cPanel account to 11.24 and switching from Courier to Dovecot, I'm noticing a variety of entries in /var/log/exim_mainlog that in the past I think would have triggered LFD and caused an IP block. These involve "Incorrect authentication" or "Unable to authenticate" responses.

Attached is a text file with a snippet of entries from our log file.

Jonathon - should (or is there a way for) entries like these to trigger LFD?

Many thanks -

Posted: 02 Jan 2009, 17:25
by chirpy
Are these in exim_mainlog or /var/log/maillog? lfd checks the POP3D_LOG setting for such failures which ought to be logging to /var/log/maillog. If not, you may need to change that setting.

Posted: 05 Jan 2009, 10:14
by RickG
Reconfirmed the sample entries I posted in first thread are in exim_mainlog.

Did some additional research. The Dovecot behavior in the log files where, after a wrong password is supplied, all subsequent attempts fail with "435 Unable to authenticate at present: authentication socket read error or premature eof" is a known issue in Exim 4.68 (cPanel 11.24.4-R32603).

I found some threads that suggest this has been corrected in Exim 4.70. Does it make any sense to post this on cpanel.net, or do you think they are aware of the issue? Many thx -

Note: As I cannot include a URL due to my number of posts, search Google for the following:
Dovecot-authenticator-always-fails-if-in-first-attempt-wrong-password-is-given-td19453989.html

Posted: 08 Jan 2009, 15:35
by chirpy
I'd suggest that you log it with cPanel on bugzilla.cpanel.net with all the technical information so that they can investigate it.

Posted: 07 Aug 2009, 21:46
by andrewt
The regex needs to be updated to handle SMTP login failures for those using Dovecot. After changing to Dovecot these will use the dovecot_login authenticator as found in the exim.conf. Some of the failures in the exim_mainlog will look like:

2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)
2009-08-07 15:25:34 dovecot_login authenticator failed for host69-53-118-91.birch.net (windows) [69.53.118.91]: 535 Incorrect authentication data (set_id=postmaster)

I only just discovered this after a server got pounded with SMTP login failures and LFD wasn't doing a thing about it. I'll have to apply our own fix for now.

Posted: 20 Aug 2009, 10:04
by chirpy
There will be an extended dovecot regex in the next csf release.

Posted: 08 Sep 2009, 15:59
by andrewt
BTW, the latest version does not fix this.

Posted: 10 Sep 2009, 10:11
by chirpy
I'll add it to the dev list to look into.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited