Back to Community Threads
2
Beta 7264 POP too many failed login attempts IDS blocking
Problem reported by Robert Simpson - 11/27/2019 at 8:24 PM
Submitted
After upgrading, I have at least one POP3 user being IDS blocked in spite of never having reported a bad password.  This started happening after the change to enable NTLM auth ... here's an example log:

[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] +OK POP3 server ready <fb636a4e-7fbc-4710-8081-cdc504c26d2e@mysupersecretdomain.com>
[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] connected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] CAPA
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] +OK Capability list follows
[2019.11.27] 13:06:24.219 [47.199.53.95][58663423] AUTH NTLM
[2019.11.27] 13:06:24.234 [47.199.53.95][58663423] + OK
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] Closing transmission channel: too many authentication failures from this IP
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] -ERR Too many authentication failures by this IP, closing transmission channel
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] disconnected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] connected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] IP blocked by brute force abuse detection rule
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] disconnected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] connected at 11/27/2019 1:13:46 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] IP blocked by brute force abuse detection rule

The user had zero bad password attempts prior to this entry, and there were no retries, nothing.  It failed the user immediately on the first attempt to authenticate before even being allowed to submit credentials.

2 Replies

Reply to Thread
0
Jade D Replied
11/28/2019 at 11:57 PM
I have a ticket open about this exact same issue.
The only work around for now is to whitelist the IP or remove the IDS blocks (for us this is not an option)
Jade https://absolutehosting.co.za
0
Matt Petty Replied
12/4/2019 at 12:12 PM
Employee Post
@Jade I believe this topic is specific to the BETA version of SmarterMail, I checked and you appear to be running on a non-beta version.

@Robert, sorry I didn't see this thread earlier. Try updating to Beta 7269, we fixed an issue with NTLM authentication.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Change the Login AttemptsSmarterStats > Installation and Configuration
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus