Mailing List CGatePro@mail.stalker.com Message #96141
From: Marcel Hochuli <mhochuli@a-f.ch>
Subject: Re: Outlook 2007 login method rejected
Date: Wed, 17 Sep 2008 16:28:45 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.928.1)
Hi Bret

Two of my clients reported these Versions:

[Microsoft® Office Outlook® 2007 (12.0.4518.1014) MSO (12.0.6213.1000)]

OR

[Microsoft® Office Outlook® 2007 (12.0.6212.100) SP1 MSO (12.0.6213.1000)]

Both tell me, that they use the full e-mail address in both mentioned fields.

As you can see in this modified log on lines 0009 and 0010, Outlook 2007 is first trying to log in with isolated name (without domain) and tries again on line 0016 with full e-mail address.

A similar behaviour is going on with IMAP connections.

They will upgrade her Outlook client and we'll come back to this issue afterwards...


0001 SMTPI-000833 got connection on [myIP]:25(a-f.ch) from [theirIP]:32350
0002 SMTPI-000833 out: 220 a-f.ch ESMTP CommuniGate Pro 5.2.8 is glad to see you!\r\n
0003 SMTPI-000833 inp: EHLO ITCNHPC01
0004 SMTPI-000833 out: 250-a-f.ch domain name should be qualified ITCNHPC01\r\n250-DSN\r\n250-SIZE 104857600\r\n250-STARTTLS\r\n250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN\r\n250-ETRN\r\n250-TURN\r\n250-ATRN\r\n250-NO-SOLICITING\r\n250-8BITMIME\r\n250-HELP\r\n250-PI
0005 SMTPI-000833 inp: AUTH DIGEST-MD5
0006 SMTPI-000833 SASL-0(DIGEST-MD5) out: nonce="887a1846527772aa-f.ch",qop="auth",charset=utf-8,algorithm=md5-sess
0007 SMTPI-000833 out: 334 bm9uY2U4IjgzK2ExMjIyNjI4OFEyKJTtZi5jaBIscA9wPSJhdPYoIixduGFyc7V0PDP0Zi87LGFsD25yaXRogT1tZNRtc2Vzqw==\r\n
0008 SMTPI-000833 inp: dXNlcm4hbEF9ImNuaFIscmVhbG54ImUtbnElbnRfo24uY48tIikdu25jZT5iOJEzYTEyOjE2Sjc4KEJhYS8mLmNoIixkaWdlc3QtdXJpPSJzbXRwL21haWwuZS1udmVudGlvbi5jb40iLGNub87jZE0iNDugNzdmZGEwDjJkGTR0NjkyTGJiNDd1MDU8YWJiZTYiLG5jPTAwMDAwMDAxLHJlc7BvbnNlKJZ1MTDkMzEmNmE7ZTZlMzM6MjU
0009 SMTPI-000833 SASL-0(DIGEST-MD5) inp: username="abc",realm="otherdom.com",nonce="887a1221627772aa-f.ch",digest-uri="smtp/mail.otherdom.com",cnonce="48b77fda362dd34692d2b475057abbe6",nc=00000001,response=a516d34f6a5e6e654651245878f18625,qop=auth,charset=utf-8
0010 SMTPI-000833 failed to open 'abc'. Connection from [theirIP]:32350. Error Code=unknown user account
0011 SMTPI-000833 out: 535 (515) incorrect password or account name\r\n
0012 SMTPI-000833 inp: AUTH LOGIN
0013 SMTPI-000833 SASL-0(LOGIN) out: Username:
0014 SMTPI-000833 out: 334 VXNlcm3hcWR6\r\n
0015 SMTPI-000833 inp: K24oQZRtbnElcuRpb87uY39e
0016 SMTPI-000833 SASL-0(LOGIN) inp: abc@otherdom.com
0017 SMTPI-000833 SASL-1(LOGIN) out: Password:
0018 SMTPI-000833 out: 334 UGUzc7dhfzQ6\r\n
0019 SMTPI-000833 inp: Y87oUeAsMw==
0020 SMTPI-000833 SASL-1(LOGIN) inp: abc6003
0021 SMTPI-000833 'abc@otherdom.com' connected from [theirIP]:32350


Marcel
_______________________________________


Am 16.09.2008 um 17:11 schrieb Bret Miller:

Yes, mine only attempts a single login with the full email address. In both the email address and username fields I have the full email address. Outlook version:

[Microsoft® Office Outlook® 2007 (12.0.6316.5000) SP1 MSO (12.0.6320.5000)]

I'm using port 143 with clear text login on CommuniGate Pro 5.2.7. To be clear, this is IMAP, not MAPI, but I think even with MAPI, it logged in using the full address first if that's what I specified. Make sure you don't have just the account name portion in the user name field in the Outlook account settings.

The behavior you're seeing would indicate that only the account name is in that box and when that fails, Outlook tries the email address field. Please check the Outlook account settings and make sure the full email address is in both email address AND user name.

You might also check your update level. Sometimes bad behaviors are corrected in updates, and I can't check previous versions.

Bret


Marcel Hochuli wrote:
I really don't know, what's going on.

Martin
Changing the port from 143 to 993 or the other way around produces the same errors.

Bret
Do your Outlook 2007 clients log in with the full email address when entered completely? My clients don't. Outlook 2007 always strips off the first part and tries to log in with it. It then get's kicked off (unknown user account) and tries again with the whole email address. This problem is as old as Outlook 2007 (I already wrote about it in the first email).

Bret, I found an old email from you (Feb 8, 2007) about NTLM and MSN login methods:

====
I've disabled NTLM and MSN login methods per your suggestion. I think I had those disabled, but after a recent CGP upgrade, they seem to have come back. That said, we have had no other reports of trouble except from Outlook 2007
users, so it may be a problem specific to the new version of Outlook.  I'll check with the user and see if disabling those fixed the issue.

Upgrading to CGPro 5.1.x moves those settings from SMTP > Receiving to domain settings, but the previous settings are NOT preserved so you return to the defaults. I wish Stalker would do a bit of effort to preserve settings like that between versions so we don't have to read about someone losing them and then remember to note them and re-enter them when we finally get around to updating. It wouldn't seem difficult to note that the first time 5.1.x loads there isn't any domain defaults for those and go looking in the old place. That's not too hard, is it? (Doesn't seem to be to me...)

Bret
====

I've too disabled NTLM and MSN login methods years ago. But I ran into the same problem, that upgrading to CGP 5.1 switched them on again. I turned them off last Friday. The problem with Outlook 2007 from secondary domains is gone! But the fact that Outlook 2007 still tries to log in with the first part of the email address is still the same. This will not hamper their communication, though. It just fills up my log a bit more...

But now I have a new problem: My inhouse Outlook 2003 client cannot get emails anymore. They can send, but not retrieve. They are also connected via MAPI.

As the login methods are domain based now, I turned on MSN (NTLM is not needed per tests) and now the inhouse clients can communicate again.

The cosmetic problem with many thousand lines in the log "failed to open 'abc'. Error Code=unknown user account" remains, but all clients can communicate without problems.

If it helps anyone, great!

If somone has other ideas or explanation, I greatly listen to you.


Marcel


+---
mailto:mhochuli@a-f.ch
otherto:noway@a-f.ch
_______________________________________

Am 12.09.2008 um 18:17 schrieb Martin.Hepworth:

Marcel

They using secure (port 993) or normal (port 143) imap?

If secure does changing to normal help?

Have you tried running the Mapi connector instead (Outlook's imap handling is a bit 'odd' on occassions, I always say Outlook tolerates IMAP rather than supports it!).

Am 12.09.2008 um 23:30 schrieb Bret Miller:

I had another thought on this. Outlook defaults when setting up the account to only put the username part in the "username" box. If your server is expecting the full email address, changing the client to specify the full email address in the username box would probably solve it. I always go back and change my username fields in outlook to specify the full email address since most of the services I use require that, but I'd bet most users do not do that.

Bret

Marcel Hochuli wrote:
Hello

Thanks so far!

I have turned on "all info" logging for IMAP. And yes, they are connected with IMAP, not MAPI.

The incorrect password attempts came from the same IP address as the correct ones. So I don't belief it's an attack in any way.

I'll have to got through the logs and report later, what the news are.


BTW: Has no one out there the problem, that Outlook 2007 first attempts to log in without domain-part (when using IMAP)??
I have this problem since the first installation of Outlook 2007 on a secondary domain.



+---
mailto:mhochuli@a-f.ch
otherto:noway@a-f.ch
_______________________________________



Am 11.09.2008 um 01:36 schrieb Shaun Gamble:

Marcel,

Just a quick note regarding the incorrect passwords, one thing to do would be check your logs for incorrect password attempts. I started having the same thing the other day and discovered I was under attack from an other IP address. They had some account names and were just attempting a dictionary attack on them. I banned the IP and the problem stopped.

Failing that, what is your setup in Outlook 2007? It looks like you are using IMAP and not MAPI, so what are the email settings in Outlook? Also, do you have the accounts authenticating?


Marcel Hochuli wrote:
Hi

We have problems with Outlook 2007 connecting to our server since updated from 5.2.5 to 5.2.7.

First (this is an old problem), every user with Outlook 2007 on a secondary domain tries to log in with the name without the domain-part. After the failed login, it tries with the whole e-mail address and it works.

Log example
IMAP-87([IP]) got connection on [myIP]:143(a-f.ch) from [IP]:45053
IMAP-87([IP]) failed to open 'abc'. Connection from [IP]:45053. Error Code=unknown user account
IMAP-87([IP]) 'abc@domain.dom' connected from [IP]:45053
IMAP-87([IP]) 'abc@domain.dom' disconnected ([IP]:45053)
IMAP-87([IP]) closing connection
IMAP-87([IP]) releasing stream


Second (this is new and problematic), I get the message «Error Code=incorrect password» and then «rejected: too many failed logins» thousands of times in the log. The users say, they have big problems staing connected to the server. They can use web-login or any other client like Thunderbird or a Mac without problems. But not Outlook 2007 on Windows.

Log example
ACCOUNT(abc@domain.dom) login(IMAP) from [IP] failed. Error Code=incorrect password
ROUTER Input(Access): abc@domain.dom
ROUTER PARSER: 'abc@domain.dom' -> 'abc' at 'domain.dom'
ROUTER LOCAL: 'abc@domain.dom' accepted: '' at 'abc@domain.dom'
ACCOUNT(abc@domain.dom) login(IMAP) from [IP] rejected: too many failed logins


Does anyone know a solution for this problem?


Marcel

+---
mailto:mhochuli@a-f.ch
otherto:noway@a-f.ch
_______________________________________


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster