From volleyball at nurfuerspam.de  Tue Mar 15 21:11:27 2016
From: volleyball at nurfuerspam.de (Bastian)
Date: Tue, 15 Mar 2016 21:11:27 +0100
Subject: Outlook 2013, Autodiscover, AutoMX, Fail2ban, and Dovecot: Login
 probes trigger fail2ban and prevent auto configuration using Outlook 2013
Message-ID: <56E86C6F.6090707@nurfuerspam.de>

Dear all,

I installed AutoMX already quite a while ago on my server (running 
Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
So far, I assumed that everything worked properly. However, some days 
ago, I noticed that while setting up a mail account in Outlook 2013 that 
the automated configuration did no longer work.

I looked at the different log files and my assumption is that Outlook 
can access the autodiscover service but misses some information in the 
autodiscover file. As a result, Outlook tries to connect to dovecot 
using multiple methods until it succeeds. Especially, it first tries to 
connect without using a user name or using only the local part of the 
e-mail address (see log file extract below) instead of using the full 
e-mail address as a login name (even though the autodiscover service 
clearly tells to use it). Since the first login attempts do not succeed, 
fail2ban comes into play and prohibits connections for the next minutes. 
If I disable fail2ban, autodisover works flawless (not taking into 
account the many failing login attempts at the beginning).

Here is the settings that are required to connect to the server:
- SMTP on port 587, STARTTLS, user name: e-mail address, password 
required, authentication: plain or encrypted
- POP3(s) on port 995, TLS/SSL, user name: e-mail address, password 
required, authentication: plain or encrypted
- IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password 
required, authentication: plain or encrypted

AutoMX seems to work (Outlook accesses 
https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can 
be accessed via HTTP POST and produces the following result:
<?xml version='1.0' encoding='utf-8'?>
<Autodiscover 
xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
   <Response 
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
     <Account>
       <AccountType>email</AccountType>
       <Action>settings</Action>
       <Protocol>
         <Type>SMTP</Type>
         <Server>srv1.domain.com</Server>
         <Port>587</Port>
         <DomainRequired>off</DomainRequired>
         <LoginName>mail at domain.com</LoginName>
         <SPA>off</SPA>
         <Encryption>TLS</Encryption>
         <AuthRequired>on</AuthRequired>
         <TTL>6</TTL>
       </Protocol>
       <Protocol>
         <Type>IMAP</Type>
         <Server>srv1.domain.com</Server>
         <Port>993</Port>
         <DomainRequired>off</DomainRequired>
         <LoginName>mail at domain.com</LoginName>
         <SPA>off</SPA>
         <Encryption>SSL</Encryption>
         <AuthRequired>on</AuthRequired>
       </Protocol>
       <Protocol>
         <Type>POP3</Type>
         <Server>srv1.domain.com</Server>
         <Port>995</Port>
         <DomainRequired>off</DomainRequired>
         <LoginName>mail at domain.com</LoginName>
         <SPA>off</SPA>
         <Encryption>SSL</Encryption>
         <AuthRequired>on</AuthRequired>
       </Protocol>
     </Account>
   </Response>
</Autodiscover>


Here is the logfile output of dovecot:

Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<RGryfhsunACNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<WLfyfhsuogCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), 
session=<I8HyfhsuoQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected: Too many invalid 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<lv/yfhsupQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<kCrzfhsuowCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<sobzfhsupACNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<2f31fhsungCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<C273fhsuqwCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<bBH4fhsunQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<zDr5fhsunwCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<2z/6fhsupgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<spQLfxsurwCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<ZqULfxsusgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<gKgLfxsutACNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<sqsLfxsuswCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Aborted login (auth failed, 1 
attempts in 2 secs): user=<mail>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<EfH0fhsuqACNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't 
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my 
client ip), lip=(my server ip), TLS: Disconnected, 
session=<phz4fhsuqQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't 
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my 
client ip), lip=(my server ip), session=<6175fhsusQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't 
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my 
client ip), lip=(my server ip), TLS: Disconnected, 
session=<nWn5fhsupwCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<2l31fhsuqgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<Al/2fhsurACNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<JZP3fhsurgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), TLS: Disconnected, session=<3aL6fhsuoACNVAh8>
Mar 15 20:35:18 srv1 dovecot: imap-login: Login: user=<mail at domain.com>, 
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24241, 
TLS, session=<ieoPfxsuuACNVAh8>
Mar 15 20:35:19 srv1 dovecot: imap-login: Login: user=<mail at domain.com>, 
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24243, 
TLS, session=<+V5gfxsuvACNVAh8>
Mar 15 20:35:19 srv1 dovecot: service=imap, user=mail at domain.com, 
ip=[(my client ip)]. Disconnected: Disconnected in IDLE rcvd=11, sent=360

Does anybody have an idea of how to convince Outlook to use the right 
method, user name, and password right from the beginning? Is there any 
issue with my current automx configuration that could change the Outlook 
behavior?

Kind regards,

Bastian

From c at roessner-network-solutions.com  Wed Mar 16 15:45:19 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Wed, 16 Mar 2016 15:45:19 +0100
Subject: Outlook 2013, Autodiscover, AutoMX, Fail2ban,
 and Dovecot: Login probes trigger fail2ban and prevent auto
 configuration using Outlook 2013
In-Reply-To: <56E86C6F.6090707@nurfuerspam.de>
References: <56E86C6F.6090707@nurfuerspam.de>
Message-ID: <F72B5906-3F61-413E-9C9D-EB6B02667D58@roessner-network-solutions.com>

Hi,

> Am 15.03.2016 um 21:11 schrieb Bastian <volleyball at nurfuerspam.de>:
> 
> Dear all,
> 
> I installed AutoMX already quite a while ago on my server (running Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
> So far, I assumed that everything worked properly. However, some days ago, I noticed that while setting up a mail account in Outlook 2013 that the automated configuration did no longer work.
> 
> I looked at the different log files and my assumption is that Outlook can access the autodiscover service but misses some information in the autodiscover file. As a result, Outlook tries to connect to dovecot using multiple methods until it succeeds. Especially, it first tries to connect without using a user name or using only the local part of the e-mail address (see log file extract below) instead of using the full e-mail address as a login name (even though the autodiscover service clearly tells to use it). Since the first login attempts do not succeed, fail2ban comes into play and prohibits connections for the next minutes. If I disable fail2ban, autodisover works flawless (not taking into account the many failing login attempts at the beginning).
> 
> Here is the settings that are required to connect to the server:
> - SMTP on port 587, STARTTLS, user name: e-mail address, password required, authentication: plain or encrypted
> - POP3(s) on port 995, TLS/SSL, user name: e-mail address, password required, authentication: plain or encrypted
> - IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password required, authentication: plain or encrypted
> 
> AutoMX seems to work (Outlook accesses https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can be accessed via HTTP POST and produces the following result:
> <?xml version='1.0' encoding='utf-8'?>
> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
>  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
>    <Account>
>      <AccountType>email</AccountType>
>      <Action>settings</Action>
>      <Protocol>
>        <Type>SMTP</Type>
>        <Server>srv1.domain.com</Server>
>        <Port>587</Port>
>        <DomainRequired>off</DomainRequired>
>        <LoginName>mail at domain.com</LoginName>
>        <SPA>off</SPA>
>        <Encryption>TLS</Encryption>
>        <AuthRequired>on</AuthRequired>
>        <TTL>6</TTL>
>      </Protocol>
>      <Protocol>
>        <Type>IMAP</Type>
>        <Server>srv1.domain.com</Server>
>        <Port>993</Port>
>        <DomainRequired>off</DomainRequired>
>        <LoginName>mail at domain.com</LoginName>
>        <SPA>off</SPA>
>        <Encryption>SSL</Encryption>
>        <AuthRequired>on</AuthRequired>
>      </Protocol>
>      <Protocol>
>        <Type>POP3</Type>
>        <Server>srv1.domain.com</Server>
>        <Port>995</Port>
>        <DomainRequired>off</DomainRequired>
>        <LoginName>mail at domain.com</LoginName>
>        <SPA>off</SPA>
>        <Encryption>SSL</Encryption>
>        <AuthRequired>on</AuthRequired>
>      </Protocol>
>    </Account>
>  </Response>
> </Autodiscover>

Can you turn on logging in automx and see, if the request reaches your server?

/etc/automx.conf:

[automx]
...
debug = yes
logfile = /var/log/automx/automx.log


Make sure, the user running the wsgi-script has write-permissions to the log-directory.

While watching the log file, please do a test with Outlook.

I hope your version of automx already has logfile-support...

Kind regards

Christian
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20160316/9dd64f29/attachment.p7s>

From c at roessner-network-solutions.com  Wed Mar 16 19:43:50 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Wed, 16 Mar 2016 19:43:50 +0100
Subject: ANN: Upcoming release. Testers needed
Message-ID: <C01C5845-50AB-4193-A222-9465F3E04E40@roessner-network-solutions.com>

Hi,

I spent lots of hours to hopefully get the current code Python-2.7 and Python-3.x compatible. I have done tests with static, LDAP and SQL backends. With Py2.7 and Py3.4 on Gentoo. It is important to install all required dependencies. Either you do so by hand:

For example:

pip install future
pip install lxml
pip install ipaddress
pip install pyldap
pip install sqlalchemy

Or check your distribution. It should work with CentOS7/RHEL7, Debian-8, Ubuntu-14.04, Gentoo.

Even on RHEL6 you could install Py2.7 from a repo (i.e. https://rhel6.iuscommunity.org/)

As this stage is in testing now, the current master branch on Github will only contain fixes until the final release.

Feedback and help is very welcome :-)

Kind regards

Christian
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20160316/8a2dcf13/attachment-0001.p7s>

From c at roessner-network-solutions.com  Wed Mar 16 23:12:19 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Wed, 16 Mar 2016 23:12:19 +0100
Subject: Just a test. Please ignore
Message-ID: <C88EF061-F0F6-4E9A-AC5B-818473CFD423@roessner-network-solutions.com>

Test
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20160316/32f2bd3a/attachment.p7s>

From c at roessner-network-solutions.com  Thu Mar 17 12:26:30 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Thu, 17 Mar 2016 12:26:30 +0100
Subject: Outlook 2013, Autodiscover, AutoMX, Fail2ban,
 and Dovecot: Login probes trigger fail2ban and prevent auto
 configuration using Outlook 2013
In-Reply-To: <56E86C6F.6090707@nurfuerspam.de>
References: <56E86C6F.6090707@nurfuerspam.de>
Message-ID: <94EE64B3-4427-4196-8320-E4C22B6CB805@roessner-network-solutions.com>


> Am 15.03.2016 um 21:11 schrieb Bastian <volleyball at nurfuerspam.de>:
> 
> AutoMX seems to work (Outlook accesses https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can be accessed via HTTP POST and produces the following result:
> <?xml version='1.0' encoding='utf-8'?>
> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
>  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
>    <Account>
>      <AccountType>email</AccountType>
>      <Action>settings</Action>
>      <Protocol>
>        <Type>SMTP</Type>
>        <Server>srv1.domain.com</Server>
>        <Port>587</Port>
>        <DomainRequired>off</DomainRequired>
>        <LoginName>mail at domain.com</LoginName>
>        <SPA>off</SPA>
>        <Encryption>TLS</Encryption>
>        <AuthRequired>on</AuthRequired>
>        <TTL>6</TTL>
>      </Protocol>
>      <Protocol>
>        <Type>IMAP</Type>
>        <Server>srv1.domain.com</Server>
>        <Port>993</Port>
>        <DomainRequired>off</DomainRequired>
>        <LoginName>mail at domain.com</LoginName>
>        <SPA>off</SPA>
>        <Encryption>SSL</Encryption>
>        <AuthRequired>on</AuthRequired>
>      </Protocol>
>      <Protocol>
>        <Type>POP3</Type>
>        <Server>srv1.domain.com</Server>
>        <Port>995</Port>
>        <DomainRequired>off</DomainRequired>
>        <LoginName>mail at domain.com</LoginName>
>        <SPA>off</SPA>
>        <Encryption>SSL</Encryption>
>        <AuthRequired>on</AuthRequired>
>      </Protocol>
>    </Account>
>  </Response>
> </Autodiscover>

Should look like this:

<?xml version='1.0' encoding='utf-8'?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>RNS</DisplayName>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
...

Yours misses User.

That means you have not configured all required options in automx.conf:

Something like this:

[DEFAULT]
action = settings

account_type = email
account_name = R.N.S.
account_name_short = R.N.S.


Can you verify this?

Best wishes

Christian

P.S.: Wegen Liste in Englisch... ;-)
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20160317/b6fcdf1b/attachment.p7s>

From c at roessner-network-solutions.com  Thu Mar 17 20:39:22 2016
From: c at roessner-network-solutions.com (=?utf-8?Q?Christian_R=C3=B6=C3=9Fner?=)
Date: Thu, 17 Mar 2016 20:39:22 +0100
Subject: ANN: automx 1.1.0 beta1
Message-ID: <D34555CE-50CE-401A-87A8-EA4575456ADF@roessner-network-solutions.com>

We are proud to announce a first beta release of the upcoming version 1.1.0 of automx.

? Major changes are compatibility with Python 3 and bug fixes
? Dropped M2Crypto in favor of calling OpenSSL directly

TODO

Documentation

Download:

https://github.com/sys4/automx/releases/tag/v1.1.0_beta1


The switch from 0.10.x to 1.1.0:

- 0.10.3 would had fixed minor bugs
- 1.0.0 would had been a release that is feature complete concerning autodiscover, autoconfig and mobileconfig.
- 1.1.0 is the first release that should work with Python 2.7 up to Python 3.5


Please note that this version still needs testers. You should not install it on a production server. Even I tested this release under Py2.7 and Py3.4, different environments may show bugs that were not visible to me, yet :-)

Enjoy

Christian
?
Christian R??ner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20160317/6a7768b7/attachment.p7s>