Back to Community Threads
Beta 7264 POP too many failed login attempts IDS blocking
Problem reported by Robert Simpson - 11/27/2019 at 8:24 PM
Submitted
After upgrading, I have at least one POP3 user being IDS blocked in spite of never having reported a bad password.  This started happening after the change to enable NTLM auth ... here's an example log:

[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] +OK POP3 server ready <fb636a4e-7fbc-4710-8081-cdc504c26d2e@mysupersecretdomain.com>
[2019.11.27] 13:06:24.078 [47.199.53.95][58663423] connected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] CAPA
[2019.11.27] 13:06:24.141 [47.199.53.95][58663423] +OK Capability list follows
[2019.11.27] 13:06:24.219 [47.199.53.95][58663423] AUTH NTLM
[2019.11.27] 13:06:24.234 [47.199.53.95][58663423] + OK
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] Closing transmission channel: too many authentication failures from this IP
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] -ERR Too many authentication failures by this IP, closing transmission channel
[2019.11.27] 13:06:24.313 [47.199.53.95][58663423] disconnected at 11/27/2019 1:06:24 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] connected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] IP blocked by brute force abuse detection rule
[2019.11.27] 13:08:13.250 [47.199.53.95][63870691] disconnected at 11/27/2019 1:08:13 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] connected at 11/27/2019 1:13:46 PM
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] "421 Server is busy, try again later." response returned.
[2019.11.27] 13:13:46.095 [47.199.53.95][29871778] IP blocked by brute force abuse detection rule

The user had zero bad password attempts prior to this entry, and there were no retries, nothing.  It failed the user immediately on the first attempt to authenticate before even being allowed to submit credentials.

2 Replies

Reply to Thread
0
Jade D Replied
11/28/2019 at 11:57 PM
I have a ticket open about this exact same issue.
The only work around for now is to whitelist the IP or remove the IDS blocks (for us this is not an option)
Jade
0
Matt Petty Replied
12/4/2019 at 12:12 PM
Employee Post
@Jade I believe this topic is specific to the BETA version of SmarterMail, I checked and you appear to be running on a non-beta version.

@Robert, sorry I didn't see this thread earlier. Try updating to Beta 7269, we fixed an issue with NTLM authentication.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
Back to Community Threads

Reply to Thread

Related Community Threads

Gmail Migration BrokenProblem reported by J Lee - Today
Is, user details report possible to export using client customization?Question by Kunal Mayekar - Today
[17] Calendar error messageProblem reported by Martin Schaible - Yesterday
Change email password on a domain as system administratorQuestion by Mark Thrasher - Yesterday
[17] EMail Signature can't be edited after insertProblem reported by Martin Schaible - Yesterday

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Change the Login Attempts in SmarterMailSmarterMail > Installation and Configuration
Send and Receive Email From Third-Party AccountsSmarterMail > Domain/User Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Cannot Send Outgoing Email MessagesSmarterMail > Troubleshooting