I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
On 21/10/2020 12:58 jesus san miguel jesus.sanmiguel@gmail.com wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
Do you support DIGEST-MD5 logins? If yes, then they have wrong password.
Aki
Yes, we support DIGEST-MD5, but the password is correct: If I restart the service, they can login immediately.
[root@hermes dovecot]# grep md5 * grep: conf.d: Is a directory toaster.conf:auth_mechanisms = plain login digest-md5 cram-md5 [root@hermes dovecot]#
On Wed, Oct 21, 2020 at 12:12 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
On 21/10/2020 12:58 jesus san miguel jesus.sanmiguel@gmail.com wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
Do you support DIGEST-MD5 logins? If yes, then they have wrong password.
Aki
Can you turn on
auth_debug=yes
and then see what happens?
Aki
On 21/10/2020 13:46 jesus san miguel jesus.sanmiguel@gmail.com wrote:
Yes, we support DIGEST-MD5, but the password is correct: If I restart the service, they can login immediately.
[root@hermes dovecot]# grep md5 * grep: conf.d: Is a directory toaster.conf:auth_mechanisms = plain login digest-md5 cram-md5 [root@hermes dovecot]#
On Wed, Oct 21, 2020 at 12:12 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
On 21/10/2020 12:58 jesus san miguel jesus.sanmiguel@gmail.com wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
Do you support DIGEST-MD5 logins? If yes, then they have wrong password.
Aki
Yes, something came up here:
Oct 21 15:34:18 auth: Debug: auth client connected (pid=1706005)
Oct 21 15:34:18 auth: Debug: client in: AUTH 1 DIGEST-MD5 service=imap secured session=EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB lip=::1rip=::1 lport=143 rport=37892
Oct 21 15:34:18 auth: Debug: client passdb out: CONT 1 cmVhbG09IiIsbm9uY2U9ImxFZEFqZG91OFNTRWJXMWo4dWNwdWc9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=
Oct 21 15:34:18 auth: Debug: client in: CONT<hidden>
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Performing passdb lookup
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): cache hit: <hidden>
Oct 21 15:34:18 auth: Info: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Requested DIGEST-MD5 scheme, but we have only SHA1
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Finished passdb lookup
Oct 21 15:34:18 auth: Debug: auth(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Auth request finished
Oct 21 15:34:20 auth: Debug: client passdb out: FAIL 1 user=someuser@somedomain.com
Oct 21 15:34:20 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>
On Wed, Oct 21, 2020 at 1:11 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
Can you turn on
auth_debug=yes
and then see what happens?
Aki
On 21/10/2020 13:46 jesus san miguel jesus.sanmiguel@gmail.com wrote:
Yes, we support DIGEST-MD5, but the password is correct: If I restart the service, they can login immediately.
[root@hermes dovecot]# grep md5 * grep: conf.d: Is a directory toaster.conf:auth_mechanisms = plain login digest-md5 cram-md5 [root@hermes dovecot]#
On Wed, Oct 21, 2020 at 12:12 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
On 21/10/2020 12:58 jesus san miguel jesus.sanmiguel@gmail.com wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
Do you support DIGEST-MD5 logins? If yes, then they have wrong password.
Aki
You can't use DIGEST-MD5 if you have hashed passwords (using other than DIGEST-MD5 scheme).
Aki
On 21/10/2020 16:52 jesus san miguel jesus.sanmiguel@gmail.com wrote:
Yes, something came up here:
Oct 21 15:34:18 auth: Debug: auth client connected (pid=1706005)
Oct 21 15:34:18 auth: Debug: client in: AUTH 1 DIGEST-MD5 service=imap secured session=EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB lip=::1rip=::1 lport=143 rport=37892
Oct 21 15:34:18 auth: Debug: client passdb out: CONT 1 cmVhbG09IiIsbm9uY2U9ImxFZEFqZG91OFNTRWJXMWo4dWNwdWc9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=
Oct 21 15:34:18 auth: Debug: client in: CONT<hidden>
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Performing passdb lookup
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): cache hit: <hidden>
Oct 21 15:34:18 auth: Info: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Requested DIGEST-MD5 scheme, but we have only SHA1
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Finished passdb lookup
Oct 21 15:34:18 auth: Debug: auth(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Auth request finished
Oct 21 15:34:20 auth: Debug: client passdb out: FAIL 1 user=someuser@somedomain.com
Oct 21 15:34:20 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>
On Wed, Oct 21, 2020 at 1:11 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
Can you turn on
auth_debug=yes
and then see what happens?
Aki
On 21/10/2020 13:46 jesus san miguel jesus.sanmiguel@gmail.com wrote:
Yes, we support DIGEST-MD5, but the password is correct: If I restart the service, they can login immediately.
[root@hermes dovecot]# grep md5 * grep: conf.d: Is a directory toaster.conf:auth_mechanisms = plain login digest-md5 cram-md5 [root@hermes dovecot]#
On Wed, Oct 21, 2020 at 12:12 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
On 21/10/2020 12:58 jesus san miguel jesus.sanmiguel@gmail.com wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
Do you support DIGEST-MD5 logins? If yes, then they have wrong password.
Aki
That was it. Disabling MD5 auth methods got rid of the error... Thx.
On Wed, Oct 21, 2020 at 4:00 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
You can't use DIGEST-MD5 if you have hashed passwords (using other than DIGEST-MD5 scheme).
Aki
On 21/10/2020 16:52 jesus san miguel jesus.sanmiguel@gmail.com wrote:
Yes, something came up here:
Oct 21 15:34:18 auth: Debug: auth client connected (pid=1706005)
Oct 21 15:34:18 auth: Debug: client in: AUTH 1 DIGEST-MD5 service=imap secured session=EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB lip=::1rip=::1 lport=143 rport=37892
Oct 21 15:34:18 auth: Debug: client passdb out: CONT 1 cmVhbG09IiIsbm9uY2U9ImxFZEFqZG91OFNTRWJXMWo4dWNwdWc9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=
Oct 21 15:34:18 auth: Debug: client in: CONT<hidden>
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Performing passdb lookup
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): cache hit: <hidden>
Oct 21 15:34:18 auth: Info: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Requested DIGEST-MD5 scheme, but we have only SHA1
Oct 21 15:34:18 auth: Debug: vpopmail(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Finished passdb lookup
Oct 21 15:34:18 auth: Debug: auth(someuser@somedomain.com,::1,<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>): Auth request finished
Oct 21 15:34:20 auth: Debug: client passdb out: FAIL 1 user=someuser@somedomain.com
Oct 21 15:34:20 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<EQqBZy6yBJQAAAAAAAAAAAAAAAAAAAAB>
On Wed, Oct 21, 2020 at 1:11 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
Can you turn on
auth_debug=yes
and then see what happens?
Aki
On 21/10/2020 13:46 jesus san miguel jesus.sanmiguel@gmail.com wrote:
Yes, we support DIGEST-MD5, but the password is correct: If I restart the service, they can login immediately.
[root@hermes dovecot]# grep md5 * grep: conf.d: Is a directory toaster.conf:auth_mechanisms = plain login digest-md5 cram-md5 [root@hermes dovecot]#
On Wed, Oct 21, 2020 at 12:12 PM Aki Tuomi aki.tuomi@open-xchange.com wrote:
On 21/10/2020 12:58 jesus san miguel jesus.sanmiguel@gmail.com wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
Oct 21 10:31:44 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=someuser@somedomain.com, method=DIGEST-MD5, rip=::1, lip=::1, secured, session=<XSVQLSqy2IYAAAAAAAAAAAAAAAAAAAAB>
Running version is 2.3.11.3
Do you support DIGEST-MD5 logins? If yes, then they have wrong password.
Aki
On 2020-10-21 10:58, jesus san miguel wrote:
I have certain power users who can't login through POP3 or IMAP from their computer while being receiving mail on their cell phones (pop3), despite pop3_lock_session = no
Am I hitting some other limit? I don't see any error in dovecot.log but a generic failed login:
I think there is a limit on the number of concurrent IMAP sessions that each user can have open at once, and the default is 5 or something fairly low.
Modern smartphone IMAP clients can easily have that many sessions open, if the user is monitoring many folders for new mail, so when the user attempts to log in with another device they cannot because they have hit the limit.
-- David Pottage
On Wed, 21 Oct 2020, David Pottage wrote:
I think there is a limit on the number of concurrent IMAP sessions that each user can have open at once, and the default is 5 or something fairly low.
Modern smartphone IMAP clients can easily have that many sessions open, if the user is monitoring many folders for new mail, so when the user attempts to log in with another device they cannot because they have hit the limit.
Global searches using Apple mail readers will open as many concurrent mailboxes as your settings allow, even hundreds. However, they're closed in batches as well, so a graph of user mailbox connections will show sawtooth patterns.
Joseph Tam jtam.home@gmail.com
participants (4)
-
Aki Tuomi
-
David Pottage
-
jesus san miguel
-
Joseph Tam