• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Log password failures

D

DEEPAK MHATRE

New Pleskian
I have installed fail2ban on plesk Linux server using Postfix and dovecot

I want to know which email id is sending wrong password , below is current log

Feb 26 18:34:48 linux dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, session=<LPCc8ass/QByj8TP>

We have enabled following in dovecot.conf but still it is not showing email id which is failing

auth_verbose = yes
auth_debug = yes

Do we have to enable auth_debug_passwords = yes
 
The user they are submitting would be here 'user=<>' and as there is nothing between the brackets it indicates the mail client isn't supplying the username in which case you only have the IP address to track it down by. Enabling debug mode won't help as its never supplied. Hope that helps.
 
I could manage to get login name of user whose email client sending wrong password by enabling line below line in /etc/dovecot/dovecot.conf

auth_verbose = yes

enable auth_debug_passwords = yes is not necessarry
 
In this case there's probably no login name to log, the client is probably misconfigured. Or it may as well be a malicious bot, but if the bot tries to brute-force into your server you should see "Aborted login" instead of Disconnected". Here the client connects to the pop3 port but may not send any protocol specific command, just disconnects 2 seconds later. For example:
1. On the client I run:
echo "" | nc localhost 110
+OK Dovecot ready.
-ERR Unknown command.
2. On the server (same machine) I get:
May 11 16:57:11 centos6xen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<elkIjYsypAAAAAAAAAAAAAAAAAAAAAAB>
The could be several reasons for this type of log entries, you shouldn't get fail2ban to match the empty user without doing some more analysis. We've seen plenty of occasions where the empty Dovecot login is caused by misconfigured legitimate clients.
 
You must log in or register to reply here.

Similar threads

C
Question Plesk Obsidian 18.0.65 Update 2 imap-login: Disconnected: Connection closed (auth failed
Replies
3
Views
801
Compy
C
Dork
Question Watchdog problem
Replies
3
Views
910
mow
M
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
2K
scpcomp
S
J
Issue Plesk's authentication driver for dovecot is trying to write to the email accounts password file
Replies
5
Views
549
John Calvert
J
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
612
Polli
Polli
Back
Top