Many authentication failed logins for "good" users

I have recently notice that my server was reporting at mail.log a lot of bad authentications for know users, and its not a brute force attack. And i really dont know the cause of such authentications. I have users using, Gmail App, Mail at IOS, Mail app at MacOSX, ThunderBird and Outlooks, and also a webmail service to access to this server. In this server i have a self-signed certificate and is also working as a mail smart host. This system is a MacOSX 10.9.5.

From all the platforms, Outlook is the only one who have a strange behaviour while is connected to this server. Is constantly showing a annoying login popup with the credentials of the user, out from nowhere, and this happens with all my Outlook users. Users can use Outlook to send and receive, and all seems to work, except that login popup.

From my mail.log i have this issue with SAL DIGEST-MD5, SASL PLAIN and SASL CRAM-MD5, for example some random samples:

Jan 19 11:43:43 remote.x.pt postfix/smtpd[53889]: error: validate response: authentication failed for user=lcg (method=DIGEST-MD5)
Jan 19 11:43:43 remote.x.pt postfix/smtpd[53889]: warning: unknown[192.168.1.72]: SASL DIGEST-MD5 authentication failed

Jan 18 17:10:46 remote.x.pt postfix/smtpd[5838]: error: verify password: authentication failed: user=teste2@x.pt
Jan 18 17:10:46 remote.x.pt postfix/smtpd[5838]: warning: hq2.pacsis.pt[x]: SASL PLAIN authentication failed

Jan 16 15:13:06 remote.x.pt postfix/smtpd[17510]: error: validate response: authentication failed for user=teste3 (method=CRAM-MD5)
Jan 16 15:13:06 remote.x.pt postfix/smtpd[17510]: warning: remote.x.pt[192.168.1.1]: SASL CRAM-MD5 authentication failed

The first attempt was from Outlook, the second one i think it came from the mail webservice and the third from Mail app.

I cannot figure out what is causing this, but since i have bad auths from several different software clients i assume that there is something in my postfix or at dovecot configs.

Here you can check both configs:

Postfix: http://pastebin.com/EU1iLjAP

Dovecot: http://pastebin.com/N9MfuvkD

Ports being used:

  • 587 SMTP STARTLS

  • 993 IMAP SSL

Related:


Leave a Reply