Outlook 2013, Autodiscover, AutoMX, Fail2ban, and Dovecot: Login probes trigger fail2ban and prevent auto configuration using Outlook 2013
Christian Rößner
c at roessner-network-solutions.com
Wed Mar 16 15:45:19 CET 2016
Hi,
> Am 15.03.2016 um 21:11 schrieb Bastian <volleyball at nurfuerspam.de>:
>
> Dear all,
>
> I installed AutoMX already quite a while ago on my server (running Ubuntu with Dovecot for IMAP+POP3 and Postfix for SMTP).
> So far, I assumed that everything worked properly. However, some days ago, I noticed that while setting up a mail account in Outlook 2013 that the automated configuration did no longer work.
>
> I looked at the different log files and my assumption is that Outlook can access the autodiscover service but misses some information in the autodiscover file. As a result, Outlook tries to connect to dovecot using multiple methods until it succeeds. Especially, it first tries to connect without using a user name or using only the local part of the e-mail address (see log file extract below) instead of using the full e-mail address as a login name (even though the autodiscover service clearly tells to use it). Since the first login attempts do not succeed, fail2ban comes into play and prohibits connections for the next minutes. If I disable fail2ban, autodisover works flawless (not taking into account the many failing login attempts at the beginning).
>
> Here is the settings that are required to connect to the server:
> - SMTP on port 587, STARTTLS, user name: e-mail address, password required, authentication: plain or encrypted
> - POP3(s) on port 995, TLS/SSL, user name: e-mail address, password required, authentication: plain or encrypted
> - IMAP(s) on port 993, TLS/SSL, user name: e-mail address, password required, authentication: plain or encrypted
>
> AutoMX seems to work (Outlook accesses https://autodiscover.domain.com/autodiscover/autodiscover.xml), it can be accessed via HTTP POST and produces the following result:
> <?xml version='1.0' encoding='utf-8'?>
> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
> <Account>
> <AccountType>email</AccountType>
> <Action>settings</Action>
> <Protocol>
> <Type>SMTP</Type>
> <Server>srv1.domain.com</Server>
> <Port>587</Port>
> <DomainRequired>off</DomainRequired>
> <LoginName>mail at domain.com</LoginName>
> <SPA>off</SPA>
> <Encryption>TLS</Encryption>
> <AuthRequired>on</AuthRequired>
> <TTL>6</TTL>
> </Protocol>
> <Protocol>
> <Type>IMAP</Type>
> <Server>srv1.domain.com</Server>
> <Port>993</Port>
> <DomainRequired>off</DomainRequired>
> <LoginName>mail at domain.com</LoginName>
> <SPA>off</SPA>
> <Encryption>SSL</Encryption>
> <AuthRequired>on</AuthRequired>
> </Protocol>
> <Protocol>
> <Type>POP3</Type>
> <Server>srv1.domain.com</Server>
> <Port>995</Port>
> <DomainRequired>off</DomainRequired>
> <LoginName>mail at domain.com</LoginName>
> <SPA>off</SPA>
> <Encryption>SSL</Encryption>
> <AuthRequired>on</AuthRequired>
> </Protocol>
> </Account>
> </Response>
> </Autodiscover>
Can you turn on logging in automx and see, if the request reaches your server?
/etc/automx.conf:
[automx]
...
debug = yes
logfile = /var/log/automx/automx.log
Make sure, the user running the wsgi-script has write-permissions to the log-directory.
While watching the log file, please do a test with Outlook.
I hope your version of automx already has logfile-support...
Kind regards
Christian
—
Christian Rößner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3089 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20160316/9dd64f29/attachment.p7s>
More information about the automx-users
mailing list