exim/imap with csf

[Hollanda]

Hi guys,

I'm having problems with the csf plugin. Csf blocks ports used for mail/imap. It looks like this happens from ip's which use a lot of ip's (pc, laptop, tablet, phones, etc). What is the proper setting in the csf config to allow multiple connections?

Regards,
Dave

 

[Hollanda]

*bump *bump

 

[Richard G]

Depends on what you mean. CSF does not block porst for mail/imap unless you changed the default ports which are already configured to be opened when you install CSF/LFD.
So the default setting is the proper setting.
If it's coming from internal ip's who don't check different, but check the same email addres, see if the pop3 email addres is maybe checked every minute.
Several idiots out there think that this is needed for some kind of bull**** reason. You might however get trapped by CSF that way.

If you don't mind that, check the "LT_POP3D =" and "LT_IMAPD =" settings. If there is a setting, put them to 0 (like LT_IMAPD = "0") the disable them.
It's best by the way, to have LT_IMAPD = "0" due to how imapd works.

 

[Hollanda]

imap port is default, most settings from csf are default. LT_POP3D was 180, set back to 0.

users connections get blocked totally, will report back if setting LT_POP3D to 0 will improve.

Regards,
Dave

 

[zEitEr]

By the way you should start with checking /var/log/csf.log to learn on why an IP was blocked. As it might be caused by settings of "Login Failure Blocking and Alerts" section.

users connections get blocked totally

Of course if you run BFM with Directadmin, you might want to disable the settings in CSF, as alternative you might want to change some values, so CSF would block access to a particular service (PORT) but not to the all ports at once:

# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to "1", but LF_TRIGGER must be
# set to "0" with specific application
[*] trigger levels also set appropriately
LF_SELECT = "0"

try to change it to "1". And switch to temp blocks instead of permanent (the latest is default).

 

[Hollanda]

BFM is disabled. User get blocked and have the following in the logfile:

Feb 2 16:12:05 web03 lfd[26181]: (smtpauth) Failed SMTP AUTH login from xx.xxx.xx.xx): 5 in the last 300 secs - *Blocked in csf* [LF_SMTPAUTH]
Feb 7 19:53:43 web03 lfd[11075]: (smtpauth) Failed SMTP AUTH login from xx.xxx.xx.xx): 5 in the last 300 secs - *Blocked in csf* [LF_SMTPAUTH]

It looks like this only happens with users with os x + ipads + iphone's.

 

[Richard G]

Let them check their email settings.
I've heard from OS X that Apple Mail is not sending out 1 verification, but several at the same time (pop3, pop3s, imap, imaps) which can cause this behaviour.
They setup a password for imap and then you get the failed auth logins from the pop3 for example. There is an option to have Apple Mail only do 1 verification, they can find it on the net.
I don't know if this is also the case on iphones and ipads, I don't knkow.

Next to that. It's stupid and never needed to check mail every minute (5 attemps in 300 secs is 1 attempt a minute). Let them set their email polling to a normal level, like minimal 10 minutes. If somebody is really waiting for something, they can always click a few times extra manually to try and pick up mail. But normally checking mail every minute is only done by people who..... well... I won't say it, but I guess you know what I mean.
Lowering the email polling to a normal level will also give mailservers some peace to do their thing, and also keeps these kind of firewall lockouts out of the door.