I have recently notice that my server was reporting at mail.log a lot of bad authentications for know users, and its not a brute force attack. And i really dont know the cause of such authentications. I have users using, Gmail App, Mail at IOS, Mail app at MacOSX, ThunderBird and Outlooks, and also a webmail service to access to this server. In this server i have a self-signed certificate and is also working as a mail smart host. This system is a MacOSX 10.9.5.
From all the platforms, Outlook is the only one who have a strange behaviour while is connected to this server. Is constantly showing a annoying login popup with the credentials of the user, out from nowhere, and this happens with all my Outlook users. Users can use Outlook to send and receive, and all seems to work, except that login popup.
From my mail.log i have this issue with SAL DIGEST-MD5, SASL PLAIN and SASL CRAM-MD5, for example some random samples:
Jan 19 11:43:43 remote.x.pt postfix/smtpd[53889]: error: validate response: authentication failed for user=lcg (method=DIGEST-MD5)
Jan 19 11:43:43 remote.x.pt postfix/smtpd[53889]: warning: unknown[192.168.1.72]: SASL DIGEST-MD5 authentication failed
Jan 18 17:10:46 remote.x.pt postfix/smtpd[5838]: error: verify password: authentication failed: user=teste2@x.pt
Jan 18 17:10:46 remote.x.pt postfix/smtpd[5838]: warning: hq2.pacsis.pt[x]: SASL PLAIN authentication failed
Jan 16 15:13:06 remote.x.pt postfix/smtpd[17510]: error: validate response: authentication failed for user=teste3 (method=CRAM-MD5)
Jan 16 15:13:06 remote.x.pt postfix/smtpd[17510]: warning: remote.x.pt[192.168.1.1]: SASL CRAM-MD5 authentication failed
The first attempt was from Outlook, the second one i think it came from the mail webservice and the third from Mail app.
I cannot figure out what is causing this, but since i have bad auths from several different software clients i assume that there is something in my postfix or at dovecot configs.
Here you can check both configs:
Postfix: http://pastebin.com/EU1iLjAP
Dovecot: http://pastebin.com/N9MfuvkD
Ports being used:
587 SMTP STARTLS
993 IMAP SSL
UPDATE 1:
This is what is happening, here you can see that after a bad authentication at first, next it authenticate successfully:
Jan 19 14:33:05 remote.x.pt postfix/smtpd[62409]: error: validate response: authentication failed for user=lcg (method=DIGEST-MD5)
Jan 19 14:33:05 remote.x.pt postfix/smtpd[62409]: warning: unknown[192.168.1.72]: SASL DIGEST-MD5 authentication failed
Jan 19 14:33:05 remote.x.pt postfix/smtpd[62409]: verify password: AUTH PLAIN: authentication succeeded for user=lcg
UPDATE2:
It seems like my server doesnt allow DIGEST-MD5 and CRAM-MD5 and then it switchs to PLAIN, for certain users. At localhost i can use at least CRAM-MD5 without problem.