cPanel server - Dovecot logins failing on specific IP address

Question

I'm having a strange issue with one of our cPanel/WHM servers where it appears to be failing dovecot (IMAP/POP3) logins only from a specific IP address. The client was setting up a new workstation and had forgotten the password to one of their accounts (IMAP), so Outlook was constantly prompting for the password.

Hearing this I assumed LFD had blocked their IP for too many failed password attempts, (even though it has been setup in csf.ignore). But alas nothing is listed under CSF/LFD rules for that IP address. And connecting from the clients computer, I'm able to connect via telnet to dovecot on port 143 and also access the website running on that server, so the IP does not appear to be blocked in IPTables on the server.

Here are some telnet transcripts from my end and the client end to show the response back from the server (email and pasword replaced):

Client end:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login clientemail@clientdomain.com accountpassword
a NO [AUTHENTICATIONFAILED] Authentication failed.

My end:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login clientemail@clientdomain.com accountpassword
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA] Logged in

At this point I'm really scratching my head so had a look at the logs -

Valid password attempt from client end (Failure):

Feb 13 17:44:18 vps dovecot: auth(default): client in: AUTH#0117#011PLAIN#011service=imap#011lip=<serverip>#011rip=<clientip>#011lport=143#011rport=53055#011resp=<hidden>
Feb 13 17:44:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<clientip>): execute: /usr/local/cpanel/bin/dovecot-auth /usr/libexec/dovecot/checkpassword-reply
Feb 13 17:44:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<clientip>): Received no input
Feb 13 17:44:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<clientip>): exit_status=1
Feb 13 17:44:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<clientip>): Login failed (status=1)
Feb 13 17:44:20 vps dovecot: auth(default): client out: FAIL#0117#011user=clientemail@clientdomain.com

Bad password attempt from my end (Failure):

Feb 13 17:50:37 vps dovecot: auth(default): client in: AUTH#01112#011PLAIN#011service=imap#011lip=<serverip>#011rip=<myip>#011lport=143#011rport=61139#011resp=<hidden>
Feb 13 17:50:37 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): execute: /usr/local/cpanel/bin/dovecot-auth /usr/libexec/dovecot/checkpassword-reply
Feb 13 17:50:37 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): Received no input
Feb 13 17:50:37 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): exit_status=1
Feb 13 17:50:37 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): Login failed (status=1)
Feb 13 17:50:39 vps dovecot: auth(default): client out: FAIL#01112#011user=clientemail@clientdomain.com

Valid password attempt from my end (Success):

Feb 13 17:46:18 vps dovecot: auth(default): client in: AUTH#01110#011PLAIN#011service=imap#011lip=<serverip>#011rip=<myip>#011lport=143#011rport=61043#011resp=<hidden>
Feb 13 17:46:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): execute: /usr/local/cpanel/bin/dovecot-auth /usr/libexec/dovecot/checkpassword-reply
Feb 13 17:46:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): Received input: user=clientemail@clientdomain.com#011userdb_home=/home/<useraccount>/mail/<clientdomain.com>/<emailaccount>#011userdb_mail=maildir:/home/<useraccount>/mail/<clientdomain.com>/<emailaccount>#011userdb_gid=501#011userdb_quota=maildir:storage=0#011userdb_uid=502#011
Feb 13 17:46:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): Received no input
Feb 13 17:46:18 vps dovecot: auth(default): checkpassword(clientemail@clientdomain.com,<myip>): exit_status=0
Feb 13 17:46:18 vps dovecot: auth(default): client out: OK#01110#011user=clientemail@clientdomain.com
Feb 13 17:46:18 vps dovecot: auth(default): master in: REQUEST#01112#011383992#01110
Feb 13 17:46:18 vps dovecot: auth(default): prefetch(clientemail@clientdomain.com,<myip>): success
Feb 13 17:46:18 vps dovecot: auth(default): master out: USER#01112#011clientemail@clientdomain.com#011home=/home/<useraccount>/mail/<clientdomain.com>/<emailaccount>#011mail=maildir:/home/<useraccount>/mail/<clientdomain.com>/<emailaccount>#011gid=501#011quota=maildir:storage=0#011uid=502
Feb 13 17:46:18 vps dovecot: imap-login: Login: user=<clientemail@clientdomain.com>, method=PLAIN, rip=<myip>, lip=<serverip>

I should note that the server is hosted on separate networks from both the client and my location. I have tried restarting the server with no luck.

So my question is, does anyone know if there is some configuration/setting in dovecot that is forcing a connection from a specific IP address to fail?

Answer 1

Cpanel has its own brute force protection system "cphulk" which might be the reason for the block.

check in whm -> security center -> cphulk Brute force protection if the daemon is enabled and if the ip is listed. unblock the ip by pressing "clear failed logins"