Outlook 2013, Autodiscover, AutoMX, Fail2ban, and Dovecot: Login probes trigger fail2ban and prevent auto configuration using Outlook 2013
Bastian
volleyball at nurfuerspam.de
Tue Mar 15 21:11:27 CET 2016
Dear all,
I installed AutoMX already quite a while ago on my server (running
Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
So far, I assumed that everything worked properly. However, some days
ago, I noticed that while setting up a mail account in Outlook 2013 that
the automated configuration did no longer work.
I looked at the different log files and my assumption is that Outlook
can access the autodiscover service but misses some information in the
autodiscover file. As a result, Outlook tries to connect to dovecot
using multiple methods until it succeeds. Especially, it first tries to
connect without using a user name or using only the local part of the
e-mail address (see log file extract below) instead of using the full
e-mail address as a login name (even though the autodiscover service
clearly tells to use it). Since the first login attempts do not succeed,
fail2ban comes into play and prohibits connections for the next minutes.
If I disable fail2ban, autodisover works flawless (not taking into
account the many failing login attempts at the beginning).
Here is the settings that are required to connect to the server:
- SMTP on port 587, STARTTLS, user name: e-mail address, password
required, authentication: plain or encrypted
- POP3(s) on port 995, TLS/SSL, user name: e-mail address, password
required, authentication: plain or encrypted
- IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password
required, authentication: plain or encrypted
AutoMX seems to work (Outlook accesses
https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can
be accessed via HTTP POST and produces the following result:
<?xml version='1.0' encoding='utf-8'?>
<Autodiscover
xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>SMTP</Type>
<Server>srv1.domain.com</Server>
<Port>587</Port>
<DomainRequired>off</DomainRequired>
<LoginName>mail at domain.com</LoginName>
<SPA>off</SPA>
<Encryption>TLS</Encryption>
<AuthRequired>on</AuthRequired>
<TTL>6</TTL>
</Protocol>
<Protocol>
<Type>IMAP</Type>
<Server>srv1.domain.com</Server>
<Port>993</Port>
<DomainRequired>off</DomainRequired>
<LoginName>mail at domain.com</LoginName>
<SPA>off</SPA>
<Encryption>SSL</Encryption>
<AuthRequired>on</AuthRequired>
</Protocol>
<Protocol>
<Type>POP3</Type>
<Server>srv1.domain.com</Server>
<Port>995</Port>
<DomainRequired>off</DomainRequired>
<LoginName>mail at domain.com</LoginName>
<SPA>off</SPA>
<Encryption>SSL</Encryption>
<AuthRequired>on</AuthRequired>
</Protocol>
</Account>
</Response>
</Autodiscover>
Here is the logfile output of dovecot:
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=<RGryfhsunACNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=<WLfyfhsuogCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip),
session=<I8HyfhsuoQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected: Too many invalid
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=<lv/yfhsupQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=<kCrzfhsuowCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip),
lip=(my server ip), session=<sobzfhsupACNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<2f31fhsungCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<C273fhsuqwCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<bBH4fhsunQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<zDr5fhsunwCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS:
Disconnected, session=<2z/6fhsupgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: imap-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=<spQLfxsurwCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=<ZqULfxsusgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=<gKgLfxsutACNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS
handshaking: Disconnected, session=<sqsLfxsuswCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=<mail>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=<EfH0fhsuqACNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my
client ip), lip=(my server ip), TLS: Disconnected,
session=<phz4fhsuqQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my
client ip), lip=(my server ip), session=<6175fhsusQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my
client ip), lip=(my server ip), TLS: Disconnected,
session=<nWn5fhsupwCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=<2l31fhsuqgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=<Al/2fhsurACNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), session=<JZP3fhsurgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip),
lip=(my server ip), TLS: Disconnected, session=<3aL6fhsuoACNVAh8>
Mar 15 20:35:18 srv1 dovecot: imap-login: Login: user=<mail at domain.com>,
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24241,
TLS, session=<ieoPfxsuuACNVAh8>
Mar 15 20:35:19 srv1 dovecot: imap-login: Login: user=<mail at domain.com>,
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24243,
TLS, session=<+V5gfxsuvACNVAh8>
Mar 15 20:35:19 srv1 dovecot: service=imap, user=mail at domain.com,
ip=[(my client ip)]. Disconnected: Disconnected in IDLE rcvd=11, sent=360
Does anybody have an idea of how to convince Outlook to use the right
method, user name, and password right from the beginning? Is there any
issue with my current automx configuration that could change the Outlook
behavior?
Kind regards,
Bastian
More information about the automx-users
mailing list