pop3-login: Disconnected

[djcart]

Hi, I have a problem with my LFD and CSF. We have a client who has several mailboxes. I use Thunderbird to handle mailboxes, unfortunately it is often blocked. In the logs we get the following message:

Nov 25 12:06:49 server dovecot[1482953]: pop3-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 82 secs): user=<[email protected]>, method=PLAIN, rip =xx.xx.xx.15, Jul=xx.xx.xx.17, TLS, session=<uIjGf0nuHJ4FraAP>

We don't know how to fix it. Could someone help?

 

[Zhenyapan]

Put to your thunderbird correct password for this account.

 

[Richard G]

Of if TB has the correct pass, then check if the account is also used on another device.
We often experience that users enable the mail accounts on their phone and then on one or more accounts they have the wrong password. But they don't care since their mail arrives in their mailbox.
Result: Too often failed logins and then blocked in the firewall.

 

[mxroute]

The good news is that it's simple server side. Bad news is that it might not be on the client side. Simple answer is the app is submitting the wrong password, no action is necessary on the server to correct that.

I always tell people to test their password with webmail and if it works, consider that webmail does not have any more authority or access than Thunderbird does on your computer. It might look like it does, or create that impression because it's hosted on the server, but it uses the same ports and authentication mechanisms as your client, nothing fancy at all. So if it works on webmail and not in Thunderbird, it's easiest to say it's either using wrong authentication mechanisms or it's simply sending the wrong password.

 

[Richard G]

The good news is that it's simple server side. Bad news is that it might not be on the client side. Simple answer is the app is submitting the wrong password, no action is necessary on the server to correct that.

Euh... that's a contradiction. If the app sends the wrong password then it's the app.... that's client side. Especially if no action is needed on the server to correct it. So it's not simple server side in this case, it's simple client side.
It's either server side, or client side, there is no other side. Sending a wrong password is client side.

What you explain in the second half, is an option but does not need to be true if you read my explaination. It can just as well be another device, causing the block and then Thunderbird won't be able to login either, while webmail login is still available.

 

[mxroute]

So it's not simple server side in this case

I suppose we could argue phrasing but if it isn't a server side problem, then dealing with it from the server side is quite easy: You don't have to

What you explain in the second half, is an option but does not need to be true if you read my explaination. It can just as well be another device, causing the block and then Thunderbird won't be able to login either, while webmail login is still available.

CSF generally blocks the IP as a whole, so you're usually not getting through to anything to get an authentication failure if an IP block has happened as a result of the login failures. You'd just get a timeout, and there'd be no log of the authentication attempt.

 

[Richard G]

then dealing with it from the server side is quite easy: You don't have to

Ah phrasing issue, that can happen. We agree in any case on this one... server side work is easy, nothing.

CSF generally blocks the IP as a whole

Correct, if not changed it will block the whole ip. We got that changed on a server for an important customer, so they could still change their website and use webmail if needed. They instantely know the f*cked up with email and pass again.
That happened several times, then they got tired of it and appointed 1 person the task to create new mail addresses and passwords for the company and then the issue was history.

The most annoying I experienced, is sometimes certain users definately stating they don't use the mail on another device and that it's the server. And it takes extra work to check the logs and present them with the various local ip's they are using, to prove them otherwise.