From volleyball at nurfuerspam.de Tue Mar 15 21:11:27 2016
From: volleyball at nurfuerspam.de (Bastian)
Date: Tue, 15 Mar 2016 21:11:27 +0100
Subject: Outlook 2013, Autodiscover, AutoMX, Fail2ban, and Dovecot: Login
probes trigger fail2ban and prevent auto configuration using Outlook 2013
Message-ID: <56E86C6F.6090707@nurfuerspam.de>
Dear all,
I installed AutoMX already quite a while ago on my server (running
Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
So far, I assumed that everything worked properly. However, some days
ago, I noticed that while setting up a mail account in Outlook 2013 that
the automated configuration did no longer work.
I looked at the different log files and my assumption is that Outlook
can access the autodiscover service but misses some information in the
autodiscover file. As a result, Outlook tries to connect to dovecot
using multiple methods until it succeeds. Especially, it first tries to
connect without using a user name or using only the local part of the
e-mail address (see log file extract below) instead of using the full
e-mail address as a login name (even though the autodiscover service
clearly tells to use it). Since the first login attempts do not succeed,
fail2ban comes into play and prohibits connections for the next minutes.
If I disable fail2ban, autodisover works flawless (not taking into
account the many failing login attempts at the beginning).
Here is the settings that are required to connect to the server:
- SMTP on port 587, STARTTLS, user name: e-mail address, password
required, authentication: plain or encrypted
- POP3(s) on port 995, TLS/SSL, user name: e-mail address, password
required, authentication: plain or encrypted
- IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password
required, authentication: plain or encrypted
AutoMX seems to work (Outlook accesses
https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can
be accessed via HTTP POST and produces the following result:
email
settings
SMTP
srv1.domain.com
587
off
mail at domain.com
off
TLS
on
6
IMAP
srv1.domain.com
993
off
mail at domain.com
off
SSL
on
POP3
srv1.domain.com
995
off
mail at domain.com
off
SSL
on
Here is the logfile output of dovecot:
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip),
session=
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected: Too many invalid
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<2f31fhsungCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<2z/6fhsupgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=
Mar 15 20:35:14 srv1 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my
client ip), lip=(my server ip), TLS: Disconnected,
session=
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my
client ip), lip=(my server ip), session=<6175fhsusQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my
client ip), lip=(my server ip), TLS: Disconnected,
session=
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=<2l31fhsuqgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), TLS: Disconnected, session=<3aL6fhsuoACNVAh8>
Mar 15 20:35:18 srv1 dovecot: imap-login: Login: user=,
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24241,
TLS, session=
Mar 15 20:35:19 srv1 dovecot: imap-login: Login: user=,
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24243,
TLS, session=<+V5gfxsuvACNVAh8>
Mar 15 20:35:19 srv1 dovecot: service=imap, user=mail at domain.com,
ip=[(my client ip)]. Disconnected: Disconnected in IDLE rcvd=11, sent=360
Does anybody have an idea of how to convince Outlook to use the right
method, user name, and password right from the beginning? Is there any
issue with my current automx configuration that could change the Outlook
behavior?
Kind regards,
Bastian
From c at roessner-network-solutions.com Wed Mar 16 15:45:19 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Wed, 16 Mar 2016 15:45:19 +0100
Subject: Outlook 2013, Autodiscover, AutoMX, Fail2ban,
and Dovecot: Login probes trigger fail2ban and prevent auto
configuration using Outlook 2013
In-Reply-To: <56E86C6F.6090707@nurfuerspam.de>
References: <56E86C6F.6090707@nurfuerspam.de>
Message-ID:
Hi,
> Am 15.03.2016 um 21:11 schrieb Bastian :
>
> Dear all,
>
> I installed AutoMX already quite a while ago on my server (running Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
> So far, I assumed that everything worked properly. However, some days ago, I noticed that while setting up a mail account in Outlook 2013 that the automated configuration did no longer work.
>
> I looked at the different log files and my assumption is that Outlook can access the autodiscover service but misses some information in the autodiscover file. As a result, Outlook tries to connect to dovecot using multiple methods until it succeeds. Especially, it first tries to connect without using a user name or using only the local part of the e-mail address (see log file extract below) instead of using the full e-mail address as a login name (even though the autodiscover service clearly tells to use it). Since the first login attempts do not succeed, fail2ban comes into play and prohibits connections for the next minutes. If I disable fail2ban, autodisover works flawless (not taking into account the many failing login attempts at the beginning).
>
> Here is the settings that are required to connect to the server:
> - SMTP on port 587, STARTTLS, user name: e-mail address, password required, authentication: plain or encrypted
> - POP3(s) on port 995, TLS/SSL, user name: e-mail address, password required, authentication: plain or encrypted
> - IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password required, authentication: plain or encrypted
>
> AutoMX seems to work (Outlook accesses https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can be accessed via HTTP POST and produces the following result:
>
>
>
>
> email
> settings
>
> SMTP
> srv1.domain.com
> 587
> off
> mail at domain.com
> off
> TLS
> on
> 6
>
>
> IMAP
> srv1.domain.com
> 993
> off
> mail at domain.com
> off
> SSL
> on
>
>
> POP3
> srv1.domain.com
> 995
> off
> mail at domain.com
> off
> SSL
> on
>
>
>
>
Can you turn on logging in automx and see, if the request reaches your server?
/etc/automx.conf:
[automx]
...
debug = yes
logfile = /var/log/automx/automx.log
Make sure, the user running the wsgi-script has write-permissions to the log-directory.
While watching the log file, please do a test with Outlook.
I hope your version of automx already has logfile-support...
Kind regards
Christian
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL:
From c at roessner-network-solutions.com Wed Mar 16 19:43:50 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Wed, 16 Mar 2016 19:43:50 +0100
Subject: ANN: Upcoming release. Testers needed
Message-ID:
Hi,
I spent lots of hours to hopefully get the current code Python-2.7 and Python-3.x compatible. I have done tests with static, LDAP and SQL backends. With Py2.7 and Py3.4 on Gentoo. It is important to install all required dependencies. Either you do so by hand:
For example:
pip install future
pip install lxml
pip install ipaddress
pip install pyldap
pip install sqlalchemy
Or check your distribution. It should work with CentOS7/RHEL7, Debian-8, Ubuntu-14.04, Gentoo.
Even on RHEL6 you could install Py2.7 from a repo (i.e. https://rhel6.iuscommunity.org/)
As this stage is in testing now, the current master branch on Github will only contain fixes until the final release.
Feedback and help is very welcome :-)
Kind regards
Christian
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL:
From c at roessner-network-solutions.com Wed Mar 16 23:12:19 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Wed, 16 Mar 2016 23:12:19 +0100
Subject: Just a test. Please ignore
Message-ID:
Test
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL:
From c at roessner-network-solutions.com Thu Mar 17 12:26:30 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Thu, 17 Mar 2016 12:26:30 +0100
Subject: Outlook 2013, Autodiscover, AutoMX, Fail2ban,
and Dovecot: Login probes trigger fail2ban and prevent auto
configuration using Outlook 2013
In-Reply-To: <56E86C6F.6090707@nurfuerspam.de>
References: <56E86C6F.6090707@nurfuerspam.de>
Message-ID: <94EE64B3-4427-4196-8320-E4C22B6CB805@roessner-network-solutions.com>
> Am 15.03.2016 um 21:11 schrieb Bastian :
>
> AutoMX seems to work (Outlook accesses https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can be accessed via HTTP POST and produces the following result:
>
>
>
>
> email
> settings
>
> SMTP
> srv1.domain.com
> 587
> off
> mail at domain.com
> off
> TLS
> on
> 6
>
>
> IMAP
> srv1.domain.com
> 993
> off
> mail at domain.com
> off
> SSL
> on
>
>
> POP3
> srv1.domain.com
> 995
> off
> mail at domain.com
> off
> SSL
> on
>
>
>
>
Should look like this:
RNS
email
settings
...
Yours misses User.
That means you have not configured all required options in automx.conf:
Something like this:
[DEFAULT]
action = settings
account_type = email
account_name = R.N.S.
account_name_short = R.N.S.
Can you verify this?
Best wishes
Christian
P.S.: Wegen Liste in Englisch... ;-)
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL:
From c at roessner-network-solutions.com Thu Mar 17 20:39:22 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Thu, 17 Mar 2016 20:39:22 +0100
Subject: ANN: automx 1.1.0 beta1
Message-ID:
We are proud to announce a first beta release of the upcoming version 1.1.0 of automx.
? Major changes are compatibility with Python 3 and bug fixes
? Dropped M2Crypto in favor of calling OpenSSL directly
TODO
Documentation
Download:
https://github.com/sys4/automx/releases/tag/v1.1.0_beta1
The switch from 0.10.x to 1.1.0:
- 0.10.3 would had fixed minor bugs
- 1.0.0 would had been a release that is feature complete concerning autodiscover, autoconfig and mobileconfig.
- 1.1.0 is the first release that should work with Python 2.7 up to Python 3.5
Please note that this version still needs testers. You should not install it on a production server. Even I tested this release under Py2.7 and Py3.4, different environments may show bugs that were not visible to me, yet :-)
Enjoy
Christian
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: