too many failed authentication attempts

Discussion forum for Enterprise Edition.
Post Reply
dlloyd
Posts: 9
Joined: Mon Jul 18, 2011 8:30 pm

too many failed authentication attempts

Post by dlloyd » Mon Jul 18, 2011 8:38 pm

I am using version 5.11 of MailEnable. I have had a problem with a "copy" machine that is sending emails. I see the following in the debug file.

07/18/11 15:18:28 ME-E0125: Connection Refused: (192.168.1.106) was refused because there have been too many failed authentication attempts form the IP address.

Here is the information from the Activity log.

07/18/11 15:18:28 SMTP-IN 1E4679CC0A43469086B2276FC87FB1C2.MAI 1780 192.168.1.106 451 ESMTP MailEnable Service temporarily refused connection at 07/18/11 15:18:28 from IP (192.168.1.106) because of policy violation. 0 0

The copier is setup properly and has been sending email, then it quit. Here is a sample from the activity log.

07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 220 mail.sacssoftware.com ESMTP MailEnable Service, Version: 5.11--5.11 ready at 07/18/11 15:02:56 0 0
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 EHLO EHLO [192.168.1.106] 250-sacssoftware.com [192.168.1.106], this server offers 6 extensions 172 22
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 AUTH AUTH CRAM-MD5 535 Invalid username or password CRAM-MD5 128 15 copier
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12 copier
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 AUTH {blank} 334 UGFzc3dvcmQ6 18 26 copier@sacsinc.com
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 AUTH Y29waWVyY29waWVy 235 Authenticated 19 18 copier@sacsinc.com
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 MAIL MAIL FROM:<copier@sacsinc.com> 250 Requested mail action okay, completed 43 32 copier@sacsinc.com
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 RCPT RCPT TO:<deborah@sacsinc.com> 250 Requested mail action okay, completed 43 31 copier@sacsinc.com
07/18/11 15:02:56 SMTP-IN C38763EA450A40E689297E7F6328282D.MAI 1708 192.168.1.106 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 copier@sacsinc.com
07/18/11 15:02:56 SMTP-IN A2C1C04D15DB4D138FA6ACF9A310E391.MAI 1708 192.168.1.106 QUIT QUIT 221 Service closing transmission channel 42 6 copier@sacsinc.com Attached Image


I have disabled CRAM-MD5 to see if the problem is resolved. Restart the SMTP server corrects the issue. It almost seems like the program is counting the failed CRAM-MD5 as a failed login attempt. Is this the problem?

Danny

MailEnable-Ian
Site Admin
Posts: 9321
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: too many failed authentication attempts

Post by MailEnable-Ian » Tue Jul 19, 2011 1:25 am

Hi,

Yes, this seems to be the problem as you have stated. The reason for the IP address being banned is because of the "Abuse detection prevention" option that is enabled by default under the server policies options. When a connected IP reaches a total amount of invalid attempts to authenticate the option will automatically add the IP to its deny list in memory and be kept in the list for one hour or until the service is restarted.

The option is located within the administration at: Servers > localhost. Right click on "localhost" and select properties. Next navigate to the "policies" tab.
Regards,

Ian Margarone
MailEnable Support

spleeze
Posts: 12
Joined: Thu Dec 23, 2010 6:28 pm

Re: too many failed authentication attempts

Post by spleeze » Thu Jun 13, 2013 3:25 pm

How does one go about removing an IP from this list? Again, this is IMAP rejecting the connection, not SMTP, and I only see the IP Blocking -> Remove IP under SMTP and my IP is -not- in the SMTP settings. Is there another IP restriction somewhere else? There doesn't seem to be any way to clear an IP from the Servers -> Localhost -> Right-Click -> Policies tab.

-Brian

Teel
Posts: 3
Joined: Tue Oct 04, 2011 11:10 am

Re: too many failed authentication attempts

Post by Teel » Tue Jan 28, 2014 11:06 am

Hi

We suffer from the same problem.

Still no reply/solution on this?

Is it possible to add this IP onsome white/exeption list?

Regards Tobias

dustin
Posts: 34
Joined: Fri Jan 07, 2011 6:34 pm

Re: too many failed authentication attempts

Post by dustin » Thu May 01, 2014 2:12 pm

We've run into this issue with IMAP recently, so any update to this would be appreciated. I might just trace the database and call it a day, but an API call or a place in the GUI would be much more helpful than restarting services.

sektor7
Posts: 4
Joined: Mon May 26, 2014 7:24 pm

Re: too many failed authentication attempts

Post by sektor7 » Tue Jul 01, 2014 5:40 pm

Same Problem here (IMAP-Connections on ME Professional 8.50 with Outlook 2013). It´s terrible!

sagelike
Posts: 309
Joined: Fri Feb 23, 2007 4:58 am

Re: too many failed authentication attempts

Post by sagelike » Tue Jul 15, 2014 3:57 pm

Raise the number of failed attempts from default to 20 or 30.

Unless the password is brain-dead easy (ie. 11111 in which case it deserves to be hacked) then I go under the assumption that a legitimate user may get their password wrong 10 or 15 times but a hacker will likely have to try dozens if not hundreds of times to break any reasonably strong password.

I've set mine to 30 attempts under localhost>Policies before locking out an account and that has reduced the number of lockouts for legitimate users. You could probably go a little higher without reducing security.

This is separate from Connection Dropping of course.

Post Reply