dovecot login failures not being caught with cPanel/WHM 100

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
philh
Junior Member
Posts: 14
Joined: 14 Aug 2018, 11:59

dovecot login failures not being caught with cPanel/WHM 100

Post by philh »

Since upgrading to cPanel/WHM version 100, some (all?) dovecot login failures are no longer being caught by lfd. It appears that the log entries have changed eg

Code: Select all

<date> vps dovecot: imap-login: Aborted login (auth failed, 2 attempts in 17 secs): 
has become:

Code: Select all

<date> vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 11 secs):
There is a reference to this in the dovecot release notes [1] for v2.3.15 2021-06-21

dovecot is v2.3.15 with cPanel 100.

[1] https://dovecot.org/doc/NEWS
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: dovecot login failures not being caught with cPanel/WHM 100

Post by ForumAdmin »

This should be resolved in v14.12 which has just been released:
https://blog.configserver.com/
philh
Junior Member
Posts: 14
Joined: 14 Aug 2018, 11:59

Re: dovecot login failures not being caught with cPanel/WHM 100

Post by philh »

Hi

Thanks for the update. However all login failures are still not being caught. I think there are two problems in the new regex:

1. It does not capture login failures with "Disconnected: Connection closed (auth failed...". (These would previously have just been "Disconnected: (auth failed...). Example entry:

Code: Select all

Nov  9 08:49:04 vps dovecot: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 2 secs): user=<user@example.com>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS: Connection closed, session=<xDz3BfjQrZZcz08I>
2. There appears to be an error in the regex after the "(method=\S+, )?" capture group - there is an extra ", ".

The following amended regex (for imap) works:

Code: Select all

^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: (Disconnected: )?(Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=
jw47
Junior Member
Posts: 1
Joined: 19 Nov 2021, 11:50

Re: dovecot login failures not being caught with cPanel/WHM 100

Post by jw47 »

I am experiencing the same issue on csf v14.12, directly installed on a Debian 10 server without any control panel.
Also Dovecot 2.3.17 (e2aa53df5b) errors not being recognized by csf.

Code: Select all

Nov 19 15:19:33 mailer dovecot: auth: passwd-file(user@example.com,1.2.3.4,<cdnK9iTRiuFN+rPK>): Password mismatch
Nov 19 15:21:23 mailer dovecot: submission-login: Disconnected: Connection closed (auth failed, 2 attempts in 110 secs): user=<user@example.com>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<cdnK9iTRiuFN+rPK>
I hope this helps some in locating the issue at hand?
Post Reply