Cannot save a case in support portal, and cannot mail for support... I will open a new mail account on another server and email this to support, but something's wrong...I am even whitelisted...

I cannot login to webmail accounts...have not logged in since Monday when it worked fine..

getting these errors:
security alerts in asl interface: level 3
26Mar 11:53:36 3 3901 u15332031 pop3d: Connection, ip=[127.0.0.1]


mailog:
Mar 26 11:38:26 u15332031 pop3d-ssl: Connection, ip=[127.0.0.1]
Mar 26 11:38:26 u15332031 pop3d-ssl: LOGOUT, ip=[127.0.0.1]
Mar 26 11:38:26 u15332031 pop3d: Connection, ip=[127.0.0.1]
Mar 26 11:38:26 u15332031 pop3d: LOGOUT, ip=[127.0.0.1]
Mar 26 11:38:26 u15332031 imapd-ssl: Connection, ip=[127.0.0.1]
Mar 26 11:38:26 u15332031 imapd-ssl: 1269617906.704986 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=310, maildir=/
Mar 26 11:38:26 u15332031 imapd: Connection, ip=[127.0.0.1]
Mar 26 11:38:26 u15332031 imapd: 1269617906.729954 LOGOUT, ip=[127.0.0.1], rcvd=12, sent=308, maildir=/
Mar 26 11:38:28 u15332031 spamd[10531]: spamd: got connection over /tmp/spamd_full.sock
Mar 26 11:38:28 u15332031 spamd[2636]: prefork: child states: II

What changed between now and monday?



Thats not an error, thats a log event. Thats what you would see in the logs if you had a process logging into your POP3 service from the local server.



Unless I'm missing something, I dont see any logins completing. ASL wouldnt have anything to do with that. If you can connect to the service, then ASL is out of the loop. Thats weird what you have there, a typical webmail client would create entries like this if the login worked:

Mar 26 16:07:19 www3 imapd: Connection, ip=[127.0.0.1]
Mar 26 16:07:19 www3 imapd: IMAP connect from @ [127.0.0.1]INFO: LOGIN, user=USERNAME, ip=[127.0.0.1], protocol=IMAP

In your case its a logout, which you would see when a session ends for a classic mail client.

A failed login usually looks like this:

Mar 26 16:08:25 www3 imapd: Connection, ip=[127.0.0.1]
Mar 26 16:08:30 www3 imapd: IMAP connect from @ [127.0.0.1]ERR: LOGIN FAILED, ip=[127.0.0.1]

What do you see exactly when you try to login to your webmail client?

I can't think of anything that has changed in my configurations...

The browser spins it wheel for a long time, then the horde login boxes become empty, then the message is "login failed"
I have even tried changing the passwords from the plesk interface and this does not work either...

Is re-installing postfix gonna help anything?

no, postfix wouldnt have anything to do with retrieving mail. Postfix is only for SMTP. If you are using plesk then you are probably using Courier-IMAP, that is the software that would interact with the webmail client. Check and see if you upgraded or changed anything in your yum.log file - like atmail, horde, courier, etc.

Have you also tried manually logging into IMAP via telnet to make sure your IMAP server is working correctly?

I have looked at the asl reports and I started getting those messages at approx 14:59, march 24...never before that...

In the yum logs, i updated on mar 24 at 14:52, ossec-hids, asl-2.2.5-1, ossec-hids-server-2.4-2, 1:asl-web-2.2.5-1, 1:asl-2.2.5-2, 1:asl-web-2.2.5-2....

This is all that is in the yum logs, except going back to mar 21, installed zip-2.31-2, and then back to the 17th updated cpio-2.6-23.....

I am confused why there is listed, within seconds of each other, several versions of asl and asl web....

Anyway, it looks like this update is possibly the culprit...what do you recommend?

Are you positive 127.0.0.1 is whitelisted?

Some of the things I'd do in this situation:
Check /etc/hosts.deny to make sure that 127.0.0.1 isn't in there, and that it is listed in /etc/hosts.allow

Check that 127.0.0.1 is in the ASL whitelist FILE (I'm sorry, but I've forgotten where it is)
Check that 127.0.0.1 is NOT denied in iptables.

Now, as to the solution, although it should not be happening, there's a possibility that one of the new ossec rules that are designed to stop email abuse is somehow triggering, even though there's nothing in the ASL logs to match, and even though the log entries you are seeing are "strange", with logouts but no logins or denied logins.

So, I'd look at the new ossec rule xml file (again, sorry -- forgotten where it is. There's a thread here somewhere on some problems with the new rules, which mentions it), and change the settings so allow more connections per minute. The problem with webmail is that it does make a load of connections in a short time.

Faris.

thanks faris....this took a little time, but here's the rundown

127.0.0.1 is whitelisted in ASL, not in hosts.deny, included in hosts.allow, not denied in ip tables...

As per the referred thread, I have changed the courier_rules.xml ...frequency from 10 -100, timeframe from 60 to 30....

Done ASL -s -f, restart imap/pop3 server through plesk...
Rebooted...
Still no access to emails..
Changed passwords, setup new account...nothing works...]

I did get a new alert in ASL gui not seen before after I rebooted:

Emails sent into accounts get no alerts in ASL, otherwise things still the same...

That means IMAP is working fine and your password or username is wrong. ASL doesnt have anything to do with either authentication or IMAP, so check and make sure your credentials are correct. One simple way to do this is to telnet to the IMAP service:

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information.
. login username@domain.com your_password
. OK LOGIN Ok.
. logout
* BYE Courier-IMAP server shutting down
. OK LOGOUT completed
Connection closed by foreign host.

Just did that and I got into the account, so the password is correct, the server is working, and I still can't use a browser to login...

Your support staff has been walking me through this, and I gave them permission to login to the email account from their side to test and see if it is something from my desktop...or my browser or whatever...

I did a send email test from the server and it works okay from there also...

Thanks for the information...

I just logged into your box and you had set your /var/lib/php/session to not be writable by apache. So not an ASL issue, but we fixed it for you anyway.

Yes, I had changed that during a troubled Joomla Installation, and not restored the permissions correctly....

I have to say that the troubleshooting expertise exhibited by the ASL team is the best...

Our pleasure

I know I'm digging up an old post, but I was having a similar problem with entries like this showing up in my mail logs and I thought this may help out someone else in the future.



After doing a little research I discovered that they were coming from Plesk's Watchdog module. Disable Watchdog and no more log entries.