Outlook 2013, Autodiscover, AutoMX, Fail2ban, and Dovecot: Login probes trigger fail2ban and prevent auto configuration using Outlook 2013

Bastian volleyball at nurfuerspam.de
Tue Mar 15 21:11:27 CET 2016


Dear all,

I installed AutoMX already quite a while ago on my server (running 
Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
So far, I assumed that everything worked properly. However, some days 
ago, I noticed that while setting up a mail account in Outlook 2013 that 
the automated configuration did no longer work.

I looked at the different log files and my assumption is that Outlook 
can access the autodiscover service but misses some information in the 
autodiscover file. As a result, Outlook tries to connect to dovecot 
using multiple methods until it succeeds. Especially, it first tries to 
connect without using a user name or using only the local part of the 
e-mail address (see log file extract below) instead of using the full 
e-mail address as a login name (even though the autodiscover service 
clearly tells to use it). Since the first login attempts do not succeed, 
fail2ban comes into play and prohibits connections for the next minutes. 
If I disable fail2ban, autodisover works flawless (not taking into 
account the many failing login attempts at the beginning).

Here is the settings that are required to connect to the server:
- SMTP on port 587, STARTTLS, user name: e-mail address, password 
required, authentication: plain or encrypted
- POP3(s) on port 995, TLS/SSL, user name: e-mail address, password 
required, authentication: plain or encrypted
- IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password 
required, authentication: plain or encrypted

AutoMX seems to work (Outlook accesses 
https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can 
be accessed via HTTP POST and produces the following result:
<?xml version='1.0' encoding='utf-8'?>
<Autodiscover 
xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
   <Response 
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
     <Account>
       <AccountType>email</AccountType>
       <Action>settings</Action>
       <Protocol>
         <Type>SMTP</Type>
         <Server>srv1.domain.com</Server>
         <Port>587</Port>
         <DomainRequired>off</DomainRequired>
         <LoginName>mail at domain.com</LoginName>
         <SPA>off</SPA>
         <Encryption>TLS</Encryption>
         <AuthRequired>on</AuthRequired>
         <TTL>6</TTL>
       </Protocol>
       <Protocol>
         <Type>IMAP</Type>
         <Server>srv1.domain.com</Server>
         <Port>993</Port>
         <DomainRequired>off</DomainRequired>
         <LoginName>mail at domain.com</LoginName>
         <SPA>off</SPA>
         <Encryption>SSL</Encryption>
         <AuthRequired>on</AuthRequired>
       </Protocol>
       <Protocol>
         <Type>POP3</Type>
         <Server>srv1.domain.com</Server>
         <Port>995</Port>
         <DomainRequired>off</DomainRequired>
         <LoginName>mail at domain.com</LoginName>
         <SPA>off</SPA>
         <Encryption>SSL</Encryption>
         <AuthRequired>on</AuthRequired>
       </Protocol>
     </Account>
   </Response>
</Autodiscover>


Here is the logfile output of dovecot:

Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<RGryfhsunACNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<WLfyfhsuogCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), 
session=<I8HyfhsuoQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected: Too many invalid 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<lv/yfhsupQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<kCrzfhsuowCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected: Too many bad 
commands (no auth attempts in 0 secs): user=<>, rip=(my client ip), 
lip=(my server ip), session=<sobzfhsupACNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<2f31fhsungCNVAh8>
Mar 15 20:35:12 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<C273fhsuqwCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<bBH4fhsunQCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<zDr5fhsunwCNVAh8>
Mar 15 20:35:12 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 0 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS: 
Disconnected, session=<2z/6fhsupgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: imap-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<spQLfxsurwCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<ZqULfxsusgCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<gKgLfxsutACNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Disconnected (no auth attempts 
in 2 secs): user=<>, rip=(my client ip), lip=(my server ip), TLS 
handshaking: Disconnected, session=<sqsLfxsuswCNVAh8>
Mar 15 20:35:14 srv1 dovecot: pop3-login: Aborted login (auth failed, 1 
attempts in 2 secs): user=<mail>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<EfH0fhsuqACNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't 
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my 
client ip), lip=(my server ip), TLS: Disconnected, 
session=<phz4fhsuqQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't 
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my 
client ip), lip=(my server ip), session=<6175fhsusQCNVAh8>
Mar 15 20:35:16 srv1 dovecot: imap-login: Disconnected (client didn't 
finish SASL auth, waited 4 secs): user=<>, method=DIGEST-MD5, rip=(my 
client ip), lip=(my server ip), TLS: Disconnected, 
session=<nWn5fhsupwCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<2l31fhsuqgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<Al/2fhsurACNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), session=<JZP3fhsurgCNVAh8>
Mar 15 20:35:18 srv1 dovecot: pop3-login: Disconnected (auth failed, 1 
attempts in 6 secs): user=<>, method=DIGEST-MD5, rip=(my client ip), 
lip=(my server ip), TLS: Disconnected, session=<3aL6fhsuoACNVAh8>
Mar 15 20:35:18 srv1 dovecot: imap-login: Login: user=<mail at domain.com>, 
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24241, 
TLS, session=<ieoPfxsuuACNVAh8>
Mar 15 20:35:19 srv1 dovecot: imap-login: Login: user=<mail at domain.com>, 
method=DIGEST-MD5, rip=(my client ip), lip=(my server ip), mpid=24243, 
TLS, session=<+V5gfxsuvACNVAh8>
Mar 15 20:35:19 srv1 dovecot: service=imap, user=mail at domain.com, 
ip=[(my client ip)]. Disconnected: Disconnected in IDLE rcvd=11, sent=360

Does anybody have an idea of how to convince Outlook to use the right 
method, user name, and password right from the beginning? Is there any 
issue with my current automx configuration that could change the Outlook 
behavior?

Kind regards,

Bastian


More information about the automx-users mailing list