Weird Administrative.log entries after 8601
Problem reported by James McEachern - 8/21/2023 at 9:00 PM
I seem to be getting lots of this type of thing. Administrative logging set to detail.

Some are for clients, other are for IDS.
This is an IP for a customer that does successfully login right after I see this.
They are Mac Mail clients.

00:05:36.948 [172.103.XXX.XX] POP NtlmAuthenticate False IDS counting for NTLM failures over POP at this IP is throttled.

Definitely started after we upgraded to 8601 9 days ago.

2 Replies

Reply to Thread
Andrew Barker Replied
Employee Post Marked As Resolution
This is a known issue with NTLM authentication from Mac Mail. NTLM includes a couple different options for encoding the authentication data, and the client is supposed to indicate which is being used as part of the challenge-response. As noted in the log entry you provided, Mac Mail indicates that it is using LMv1. Due to design issues, LMv1 can only be used on passwords of up to 14 characters in length. Passwords that exceed that limit cannot be used to authenticate with LMv1. Even with shorter passwords however, Mac Mail doesn't properly implement NTLM authentication, but the error message would be different in that case.

The second log line is an indication that this specific authentication failure is not being counted against your Brute Force IDS rules. Because Mac Mail attempts NTLM authentication twice before falling back to another authentication method, we saw a scenario where an office with users primarily on Mac Mail would get locked out due to bad NTLM authentications. To minimize this scenario, we added a throttling mechanism. This mechanism is specifically limited to bad NTLM authentications over POP, IMAP, and SMTP. If you go back in the logs, you should find an NTLM authentication failure from the same IP for the same username that was counted against the IDS rules.

Andrew Barker
Software Developer
SmarterTools Inc.
(877) 357-6278

James McEachern Replied
Yep, this customer had it set on Automatic, vs Password.
Got the changes made to Password, and no errors now.
I assume this had been happening, silently, in the past.
Other Mac users are doing EWS, so no problem there.

Thanks Andrew.

Reply to Thread