Page 1 of 1

Users blocked with correct PW if auth daemons full or down

Posted: 17 Jul 2014, 23:35
by skate323k137
Not sure if this can be fixed from CSF/LFD's side or not, however, my bosses (at a major hosting provider) consider this a CSF bug since users can be blocked even when using correct passwords. Assume cPanel centOS server here.

problem: If authdaemond is busy or down, logins (even with the correct password) to the mailserver will fail, and are logged like this:

May 9 18:23:01 authdaemontest pop3d: LOGIN FAILED, user=test2@emailsupport.com, ip=[::ffff:my.ip.address]
May 9 18:23:01 authdaemontest pop3d: authentication error: Input/output error

Unfortunately the I/O error is logged on a 2nd line, but indicates the failure was server side and not necessarily an issue with credentials. If it were logged on the same line, I could see this being an easy fix in regex.pm

A normal failed login, if I'm not mistaken, has no 2nd line until the next command is issued by the client (i.e. quit/logout):

May 14 14:10:55 authdaemontest pop3d: LOGIN FAILED, user=test2@support.com, ip=[::ffff:my.ip.address]
May 14 14:11:03 authdaemontest pop3d: LOGOUT, ip=[::ffff:my.ip.address]
May 14 14:11:03 authdaemontest pop3d: Disconnected, ip=[::ffff:my.ip.address]

The result is if that authdaemond is busy or down, or the server doesn't have enough auth daemons configured, legitimate users using correct passwords are blocked by LFD (I have seen this a handful of times on busy mail servers).

I know it's unlikely, but is there any way that regex.pm could be modified to not count the failed login against the remote IP if the Input/output error is logged on the next line?

Thanks.

Re: Users blocked with correct PW if auth daemons full or down

Posted: 18 Jun 2015, 20:48
by sparkling
This same issue just caused a bunch of havoc today. I think this is something that should be addressed just for the sake of making csf an even more robust product.