BFM & Dovecot: Disconnected no auth attempts

BFM & Dovecot: Disconnected no auth attempts

Hello,

We are facing a strange issue with BFM & Dovecot. An IP of a customer got blocked, during the investigation we did not find any attempts to login with a wrong password, but we see a lot of similar messages on BFM page in directadmin:

Code:

pop3-login: Disconnected (no auth attempts in 110 secs): user=<>, rip=195.bb2.cc.69, lip=195.bb.cc.19, TLS: SSL_read() syscall failed: Connection timed out, session=<1V0sh2XJRQDDUp1F>


Code:

pop3-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=195.bb.cc.69, lip=195.bb.cc.19, session=<Koa1DmPJUQDDUp1F>


and so on:

Code:

Aborted login (auth failed, 1 attempts in 2 secs):
Disconnected (no auth attempts in 0 secs):
Aborted login (no auth attempts in 0 secs):


And here (http://wiki.dovecot.org/WhyDoesItNotWork) we can find some explanation:

Quote:

Aborted login (no auth attempts) means that the client isn’t even attempting to log in. Most likely you have disable_plaintext_auth=yes (default) and the client isn’t configured to use SSL/TLS (or you’ve also set ssl=no).


So it seams we are facing an issue with SSL/TLS, but not a hacking attempt, but it seems Directadmin counts such messages and blocks the IP. Please check whether directadmin really blocks IP in such a case, and I’d really like you to review this policy and maybe ignore such lines.

Comments are closed.