A lot of pop incorrect password
Nicolas Ross
Since then, we see a lot, realy alot of "Error Code=incorrect password" on
the pop channels, making some users block themselfs. For most cases, the
email still gets trough the user.
I suspect it's some sort of advertised password authentifaction mecanism
that isn't supported by that user password encryption. Our password are by
default encrypted with a-crypt. Some old account have clear-text ones.
I can't find where this kind of thing is set. Where is it ? Am I on the
right track ?
Thanks,
Nicolas
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>
Nicolas Hatier
Outlook may be the culprit. For some obscure reasons, when a full username is entered (user@domain) in the account config, Outlook may try the username alone first. When it sees it doesn't work, it tries the full username as entered. But it obviously doesn't learn from its errors, and the next time repeats the same pattern.
You may need to change the account config in Outlook client, using "user%domain" instead of "user@domain". Fortunately, Outlook is not aware the % sign can be used as a domain separator and will not try to split it. CGP understands the % sign perfectly.
I saw that issue on several servers, but I'm not sure how it is related to a server update from 5.0 to 5.2. Possible something changed that makes Outlook think it can get away with that trick.
Regards
Nicolas Hatier
On 2010-02-02 12:31, Nicolas Ross wrote:
We upgraded last weekend our CGate server from 5.0 to 5.2.19.
Since then, we see a lot, realy alot of "Error Code=incorrect password" on the pop channels, making some users block themselfs. For most cases, the email still gets trough the user.
I suspect it's some sort of advertised password authentifaction mecanism that isn't supported by that user password encryption. Our password are by default encrypted with a-crypt. Some old account have clear-text ones.
I can't find where this kind of thing is set. Where is it ? Am I on the right track ?
Thanks,
Nicolas
Nicolas Hatier, ing. <nicolas...@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com
Nicolas Ross
12:51:37.283 1 ROUTER SYSTEM: 'user@maindomain' rejected. Error Code=unknown user account
12:51:37.283 1 POP-280763([x.x.x.x]) failed to open 'user'. Connection from [x.x.x.x]:27244. Error Code=unknown user account
Nicolas Ross
Shaun Gamble
We had a large number of POP3 clients in our companies. Upgrading them
to 2003 and 2007 saw this error in large numbers. We changed the logon
details from user@domain to user%domain. Problem stopped immediately.
The stupid part is, it doesn't matter if you put user@domain into the
logon credentials for Outlook, it has to try user (without@domain) as
the login first. That is why your logs are showing user@subdomain
failed, router system user@mainddomain rejected, unknown user account.
If CGP receives a user without the @domain then it assumes user is in
the main domain. Finds the user doesn't exist so therefore it considers
the user@subdomain to have failed the login and +1 to the password
error. You have set the failed passwords in Admin. As soon as the users
count of failed passwords hits this limit, the user is locked out.
We had users being blocked due to password error. Replacing @ with % in
the authentication/login username fixed it.
On 3/02/2010 4:50 AM, Nicolas Ross wrote:
> I also see the error for a particular user for wich hist domain has a
> reserved unique IP, and thus doesn't require full domain as username.
> For this domain, there is about 100 or so email, and only about 20
> report this kind of error, and by the sysadmin there, those are
> outlook 2007 or the like.
> Regards,
>
> ----- Original Message -----
> *From:* Nicolas Ross <mailto:rossnic...@cybercat.ca>
> *To:* CommuniGate Pro Discussions <mailto:CGat...@mail.stalker.com>
> *Sent:* Tuesday, February 02, 2010 12:54 PM
> *Subject:* Re: A lot of pop incorrect password
>
> Merci,
> I don't think it's the case, since the error I see in the log is
> the full username. But you might also be right. I searched a
> little more and I saw, allong with the error from the full email,
> an error for the user @ our maindomain :
> 12:51:35.254 1 ACCOUNT(user@subdomain <mailto:user@subdomain>)
> login(POP) from [x.x.x.x] failed. Error Code=incorrect password
> 12:51:37.283 1 ROUTER SYSTEM: 'user@maindomain'
> <mailto:%27user@maindomain%27> rejected. Error Code=unknown user
> account
> 12:51:37.283 1 POP-280763([x.x.x.x]) failed to open 'user'.
> Connection from [x.x.x.x]:27244. Error Code=unknown user account
> Ok, then, I'll search for those and send a mail to our users...
> Damn...
> Thanks,
> Nicolas
>
> ----- Original Message -----
> *From:* Nicolas Hatier <mailto:nicolas...@niversoft.com>
> *To:* CommuniGate Pro Discussions
> <mailto:CGat...@mail.stalker.com>
> *Sent:* Tuesday, February 02, 2010 12:40 PM
> *Subject:* Re: A lot of pop incorrect password
>
>
> Outlook may be the culprit. For some obscure reasons, when a
> full username is entered (user@domain <mailto:user@domain>) in
--
Shaun
http://www.crocosauruscove.com http://www.destinationnt.com
http://www.momdarwin.com http://www.valueinn.com.au
Please do not send any unsolicited email. It is not wanted.
Nicolas Ross
But for some domains, who have their own ips, a user who previously used
only hist username without the @domain part, switch to the %domain. And in
both cases, I see pop login errors in my log.
Regards,
----- Original Message -----
From: "Shaun Gamble" <lis...@redco.com.au>
To: "CommuniGate Pro Discussions" <CGat...@mail.stalker.com>
Sent: Tuesday, February 02, 2010 7:48 PM
Subject: Re: A lot of pop incorrect password
> Nicolas H is right.
>
> We had a large number of POP3 clients in our companies. Upgrading them to
> 2003 and 2007 saw this error in large numbers. We changed the logon
> details from user@domain to user%domain. Problem stopped immediately. The
> stupid part is, it doesn't matter if you put user@domain into the logon
> credentials for Outlook, it has to try user (without@domain) as the login
> first. That is why your logs are showing user@subdomain failed, router
> system user@mainddomain rejected, unknown user account. If CGP receives a
> user without the @domain then it assumes user is in the main domain. Finds
> the user doesn't exist so therefore it considers the user@subdomain to
> have failed the login and +1 to the password error. You have set the
> failed passwords in Admin. As soon as the users count of failed passwords
> hits this limit, the user is locked out.
>
> We had users being blocked due to password error. Replacing @ with % in
> the authentication/login username fixed it.
>
Karl Zander
Users-->Domain Settings (for your domain)-->Login Methods. Uncheck NTLM.
I ran into this last week with Outlook 2007 and POP3.
Outlook 2007 tries NTLM first and fails with "incorrect username or password." Outlook 2007 will then move on to try a different method, DIGEST-MD5 in our case. This will succeed. But all the failures soon reach the threshold for blocking account logins and the account gets added to the temporary block list. Its game over for the account until the temporary block list timer expires.
If you turn up the POP3 logs to all information, you will see it try NTLM, fail, then try another method.
We too tried replacing @ with % without success.
Not really sure why Outlook 2007 doesn't like NTLM.
CommuniGate is aware of this as they note in in the documentation.
http://www.communigate.com/CommuniGatePro//Security.html#SASL
Note: Some Microsoft products send incorrect credentials when they detect that the server supports the NTLM SASL method. While those products then resend the correct credentials, the failed login attempts produce Failure-level Log records and may increase the "failed logins" counter too quickly, so the account becomes "temporarily locked".
--Karl
Shaun Gamble
grief.
On 3/02/2010 11:43 AM, Karl Zander wrote:
> Try disabling NTLM on the CGP server.
>
> Users-->Domain Settings (for your domain)-->Login Methods. Uncheck NTLM.
>
> I ran into this last week with Outlook 2007 and POP3.
>
> Outlook 2007 tries NTLM first and fails with "incorrect username or password." Outlook 2007 will then move on to try a different method, DIGEST-MD5 in our case. This will succeed. But all the failures soon reach the threshold for blocking account logins and the account gets added to the temporary block list. Its game over for the account until the temporary block list timer expires.
>
> If you turn up the POP3 logs to all information, you will see it try NTLM, fail, then try another method.
>
> We too tried replacing @ with % without success.
>
> Not really sure why Outlook 2007 doesn't like NTLM.
>
> CommuniGate is aware of this as they note in in the documentation.
> http://www.communigate.com/CommuniGatePro//Security.html#SASL
>
> Note: Some Microsoft products send incorrect credentials when they detect that the server supports the NTLM SASL method. While those products then resend the correct credentials, the failed login attempts produce Failure-level Log records and may increase the "failed logins" counter too quickly, so the account becomes "temporarily locked".
>
> --Karl
>
> On Tue, 2 Feb 2010 20:19:05 -0500
> "Nicolas Ross"<rossnic...@cybercat.ca> wrote:
>
>> Thanks,
>>
>> But for some domains, who have their own ips, a user who previously used only hist username without the @domain part, switch to the %domain. And in both cases, I see pop login errors in my log.
>>
>> Regards,
>>
>> ----- Original Message ----- From: "Shaun Gamble"<lis...@redco.com.au>
>> To: "CommuniGate Pro Discussions"<CGat...@mail.stalker.com>
>> Sent: Tuesday, February 02, 2010 7:48 PM
>> Subject: Re: A lot of pop incorrect password
>>
>>
>>
>>> Nicolas H is right.
>>>
>>> We had a large number of POP3 clients in our companies. Upgrading them to 2003 and 2007 saw this error in large numbers. We changed the logon details from user@domain to user%domain. Problem stopped immediately. The stupid part is, it doesn't matter if you put user@domain into the logon credentials for Outlook, it has to try user (without@domain) as the login first. That is why your logs are showing user@subdomain failed, router system user@mainddomain rejected, unknown user account. If CGP receives a user without the @domain then it assumes user is in the main domain. Finds the user doesn't exist so therefore it considers the user@subdomain to have failed the login and +1 to the password error. You have set the failed passwords in Admin. As soon as the users count of failed passwords hits this limit, the user is locked out.
>>>
>>> We had users being blocked due to password error. Replacing @ with % in the authentication/login username fixed it.
>>>
>>>
>>
>>
--
Shaun
http://www.crocosauruscove.com http://www.destinationnt.com
http://www.momdarwin.com http://www.valueinn.com.au
Please do not send any unsolicited email. It is not wanted.
Nicolas Ross
>
> Users-->Domain Settings (for your domain)-->Login Methods. Uncheck NTLM.
>
> I ran into this last week with Outlook 2007 and POP3.
Thanks, that was exactly what I was looking for. I disabled it and the
errors stoped except for some that remains that a surely due to other
things...
Regards,
Nicolas Hatier
Make sure you check your auther AUTH settings in domain defaults, such as Force AUTH and such things.
NH
On 2010-02-02 21:05, Nicolas Ross wrote:
Try disabling NTLM on the CGP server.
Users-->Domain Settings (for your domain)-->Login Methods. Uncheck NTLM.
I ran into this last week with Outlook 2007 and POP3.
Thanks, that was exactly what I was looking for. I disabled it and the errors stoped except for some that remains that a surely due to other things...
Regards,
Matthew Black
Karl Zander <cgp...@commpartners.com> wrote:
> Try disabling NTLM on the CGP server.
>
> Users-->Domain Settings (for your domain)-->Login Methods. Uncheck NTLM.
>
> I ran into this last week with Outlook 2007 and POP3.
>
> Outlook 2007 tries NTLM first and fails with "incorrect username or
>password." Outlook 2007 will then move on to try a different method,
>DIGEST-MD5 in our case. This will succeed. But all the failures soon
>reach the threshold for blocking account logins and the account gets added
>to the temporary block list. Its game over for the account until the
>temporary block list timer expires.
We have always disabled NTLM and have seen these POP incorrect password
error for years.
Login Methods enabled:
CLRTXT
CRAM-MD5
DIGEST-MD5
APOP
WEBUSER
I think it's a problem inherent to MS Outlook. We have just a single
cluster-wide domain and have our users put naked addresses (username or just
address without @csulb.edu) in their account field. Maybe our users are
adding the @csulb.edu, but I can't tell.
matthew black
california state university, long beach
Matthew Black
I'm trying to set-up an automatic redirect so that non-secure HTTP users
get automatically redirected to a secure HTTPS connection. Using
Nicolas Hatier's instructions, I added the following code to login.wssp:
--- login.wssp ---
<!--%%IF NOT(REQUESTSECURE()) --><REDIRECT>https://%%domainName%%/
<!--%%ELSE-->
[rest of code]
<!--%%ENDIF-->
After uploading to both server-wide and cluster-wide unnamed skin, then
rebooting to clear potential caching problems, it doesn't work when I
connect to
http://myserver.dom:8100
It still doesn't work if I use
http://myserver.dom:8100/login.wssp
But if I upload the changes as login2.wssp, it DOES work if I use
http://myserver.dom:8100/login2.wssp
Logging files show:
Redirect fails for login.wssp
09:41:41.640 2 HTTPU-000005([134.139.xx.xx])
login.wssp(xxx.xxx.csulb.edu) retrieved
09:41:41.666 2 HTTPU-000006([134.139.xx.xx]) style.css[Viewpoint] retrieved
Redirect works for login2.wssp
09:41:46.768 2 HTTPU-000007([134.139.xx.xx])
login2.wssp(xxx.xxx.csulb.edu) retrieved
09:41:46.768 2 HTTPU-000007([134.139.xx.xx]) Moved.wssp retrieved
09:41:47.098 2 HTTPU-000008([134.139.xx.xx])
login.wssp(xxx.xxx.csulb.edu) retrieved
09:42:54.408 2 CLUSTER cluster NEWNONCE completed
Any suggestions?
matthew black
e-mail postmaster
Nicolas Hatier
CGP loads login.wssp from the webskin specified as account default.
As there is no login2.wssp in that account default webskin, the file you uploaded in the unnamed skin is used.
NH
Matthew Black
and ESL students and faculty. Our classes are conducted in English.
Setting up new cluster and upgrading from 5.0.9. We currently use the
character set ISO-8859-15. Mostly Windows users, but plenty of Mac OS users
too!
CGP defaults to UTF-8.
Trying to get an idea of what character set is used by other US sites and
how they made their choice. Please share your experiences! TIA.
matthew black
Stefan Seiz
> We are a public university located in the United states with international
> and ESL students and faculty. Our classes are conducted in English.
>
> Setting up new cluster and upgrading from 5.0.9. We currently use the
> character set ISO-8859-15. Mostly Windows users, but plenty of Mac OS users
> too!
>
> CGP defaults to UTF-8.
I'd say UTF-8 is the way to go. I don't know of any browser which doesn't
support UTF-8.
--
Stefan Seiz <http://www.StefanSeiz.com>
Spamto: <b...@imd.net>