Back to Community Threads
2
Beta 7264 POP too many failed login attempts IDS blocking
Problem reported by Robert Simpson - 11/27/2019 at 8:24 PM
Submitted
After upgrading, I have at least one POP3 user being IDS blocked in spite of never having reported a bad password.  This started happening after the change to enable NTLM auth ... here's an example log:

[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] +OK POP3 server ready <fb636a4e-7fbc-4710-8081-cdc504c26d2e@mysupersecretdomain.com>
[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] connected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] CAPA
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] +OK Capability list follows
[2019.11.27] 13:06:24.219 [47.199.53.95][58663423] AUTH NTLM
[2019.11.27] 13:06:24.234 [47.199.53.95][58663423] + OK
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] Closing transmission channel: too many authentication failures from this IP
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] -ERR Too many authentication failures by this IP, closing transmission channel
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] disconnected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] connected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] IP blocked by brute force abuse detection rule
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] disconnected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] connected at 11/27/2019 1:13:46 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] IP blocked by brute force abuse detection rule

The user had zero bad password attempts prior to this entry, and there were no retries, nothing.  It failed the user immediately on the first attempt to authenticate before even being allowed to submit credentials.

2 Replies

Reply to Thread
0
Jade D Replied
11/28/2019 at 11:57 PM
I have a ticket open about this exact same issue.
The only work around for now is to whitelist the IP or remove the IDS blocks (for us this is not an option)
Jade
0
Matt Petty Replied
12/4/2019 at 12:12 PM
Employee Post
@Jade I believe this topic is specific to the BETA version of SmarterMail, I checked and you appear to be running on a non-beta version.

@Robert, sorry I didn't see this thread earlier. Try updating to Beta 7269, we fixed an issue with NTLM authentication.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
Back to Community Threads

Reply to Thread

Related Community Threads

fr-view table td -- border 1px?Question by Montague WebWorks - Today
/!\ Half-broken CalDAV probably since Build 7751Problem reported by Sébastien Riccio - Today
All of my emails have been deletedProblem reported by Simão Pinho - Today
Accidently deleted all emails in Inbox. Recovery possible?Question by Mike S - Today
WHMCS Provisioning Module for SmarterMailQuestion by ram - Today

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Cannot Send Outgoing Email MessagesSmarterMail > Troubleshooting
Change the Login AttemptsSmarterStats > Installation and Configuration
Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization