IP's getting banned for aborted logins

[ffeingol]

Hello Guys,

We're seeing an increasing number of IP's getting blocked for 'aborted' logins. The messages look like:

Code: Select all

May 17 12:52:25 ### dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<###>, method=PLAIN, rip=###, lip=###, TLS, session=<###>
May 17 12:52:31 ### dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<###>, method=PLAIN, rip=###, lip=###, TLS: Disconnected, session=<###>

Is there any way to not block these aborted logins?

[Elizine]

From the template /etc/dovecot/conf.d/10-auth.conf

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes

[ffeingol]

Hello,

Thanks. We're not really looking to disable the login method, just not block the users. We found that there is a specific regex for these failed logins in lfd, so it does not look like there is any way to bypass this 'error'. It's a tad frustrating as we get a lot of tickets for people blocked by aborted logins.

[dvk01]

increase the Enable login failure detection of SMTP AUTH connections ( and POP3 & IMAP ) to at least 5 it looks like you are set as 1, so it blocks after a single failure, which will include an aborted log in by a user and can also happen with internet issues
If you don't want lots of help tickets also set those to be temp blocks for 30 minutes or 1 hour and set the temp to perm block to something like 3 or 4 to permanently block genuine attacks, but automatically unblock user errors. Then inform all your users that if they get blocked to wait 30 mins /1 hour before sending a ticket to help desk.