We are facing a strange issue with BFM & Dovecot. An IP of a customer got blocked, during the investigation we did not find any attempts to login with a wrong password, but we see a lot of similar messages on BFM page in directadmin:
pop3-login: Disconnected (no auth attempts in 110 secs): user=<>, rip=195.bb2.cc.69, lip=195.bb.cc.19, TLS: SSL_read() syscall failed: Connection timed out, session=<1V0sh2XJRQDDUp1F>
pop3-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=195.bb.cc.69, lip=195.bb.cc.19, session=<Koa1DmPJUQDDUp1F>
and so on:
Aborted login (auth failed, 1 attempts in 2 secs):
Disconnected (no auth attempts in 0 secs):
Aborted login (no auth attempts in 0 secs):
And here (http://wiki.dovecot.org/WhyDoesItNotWork) we can find some explanation:
Aborted login (no auth attempts) means that the client isn’t even attempting to log in. Most likely you have disable_plaintext_auth=yes (default) and the client isn’t configured to use SSL/TLS (or you’ve also set ssl=no).
So it seams we are facing an issue with SSL/TLS, but not a hacking attempt, but it seems Directadmin counts such messages and blocks the IP. Please check whether directadmin really blocks IP in such a case, and I’d really like you to review this policy and maybe ignore such lines.