Finding MAC Address...
 
Notifications
Clear all

Finding MAC Address Details of logged in zextras users

14 Posts
2 Users
0 Reactions
282 Views
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

Hello Zextras Team,

Is there any way that I can get the device details (PC/Laptop MAC-Address) on which zextras user is logged in currently? I know the logs available in /opt/zextras/logs/audit.log however this audit/access logs gives me only public IP of my ISP, not the PC details(like local IP or MAC) of zextras user logged-in.  

 


   
Quote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

Hello Team,

We kindly request that this issue be reviewed again, as we urgently require a workaround.

To provide a brief overview of the issue, we created a new email address under the Carbonio mail server, which was successfully configured on Outlook for a user. However, the problem arises when the user changes their email password. After updating the password in Outlook (the mail client), the account gets locked out in a short span of time. Interestingly, the issue resolves when the user reverts to the old password.

Initially, we suspected the issue was caused by Outlook, so we deleted the email profile and even formatted the PC, but the problem persists. As a temporary measure, we have advised affected users not to change their passwords.

Upon reviewing the audit logs, we observed that the lockout appears to be triggered by Microsoft Office 365, although the user's email account has not been configured in any Microsoft services. This issue affects all users whose email accounts are set up in Outlook

2024-09-12 21:42:41,774 WARN [ImapServer-78] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3019;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:43:28,267 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3021;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:44:09,629 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3023;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:44:51,162 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3025;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:45:32,792 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3027;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:46:14,474 WARN [ImapServer-78] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3028;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout; 

 

 


   
ReplyQuote
 Klug
(@klug)
Joined: 13 years ago
Posts: 65
 

Microsoft Office 365 appears because the user has the O365 version of Outlook. It has nothing to do with O365 as SaaS.
Are you sure the password was correctly updated in Outlook (both IMAP and SMTP)?


   
ReplyQuote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

@klug

The passwords have been successfully updated, and this issue is occurring across most email accounts configured in Outlook.

I can confirm that the passwords were correctly updated, as I verified users were able to log in via webmail before they entered their updated credentials in Outlook.


   
ReplyQuote
 Klug
(@klug)
Joined: 13 years ago
Posts: 65
 

As I said, did you check the all the accounts (IMAP and SMTP and maybe CalDAV) were updated in Outlook?
Are you sure your users do not have some phone connected to their account too?

The log extract show "account locked", this is after the password issue.
You should look at the logs at the time the lockout happens to find out what is causing the lockout (IMAP or SMTP or something else).


   
ReplyQuote
 Klug
(@klug)
Joined: 13 years ago
Posts: 65
 

Also, you should upgrade your Carbonio server, it's not up to date.


   
ReplyQuote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

First, I would like to thank you for your prompt response. We have confirmed that no phones or laptops are connected to their accounts, as we have restricted email server access from outside the office premises for the users experiencing these issues.

The immediate logs indicate that the lockouts are occurring due to incorrect passwords.

 


   
ReplyQuote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

I will proceed with upgrading our Carbonio Clusters and check if this resolves the issue. If not, I will follow up here. Thank you.


   
ReplyQuote
 Klug
(@klug)
Joined: 13 years ago
Posts: 65
 

You have a "cluster"?

Do you have several LDAP servers? If yes, have you checked they are correctly synced together?


   
ReplyQuote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

Yes, @Klug, we have LDAP clusters in place, and their replications are fully synchronized. Numerous applications utilize these LDAP clusters, and they are functioning without any issues.


   
ReplyQuote
 Klug
(@klug)
Joined: 13 years ago
Posts: 65
 

Numerous applications are using your Carbonio LDAP cluster?
Are you sure of that?
Because this is not what should be done (Carbonio LDAP is not supposed to be the main directory for your organization and used by other apps).

Do you have a Carbonio LDAP cluster or a global LDAP cluster?

In the second case, how is the authorization setup for the domain of the user with the password issue?
Did you disable local auth fallback in Carbonio?
How/where did you change the user's password (Carbonio or global LDAP)?


   
ReplyQuote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

I believe there's been a misunderstanding. I was referring to our own LDAP, not Carbonio. We've been using our LDAP clusters, which authenticate our Carbonio users for successful login. It seems the discussion has shifted from the original topic. We manage password changes through SSO, and this setup has been in place since we started using Zimbra, approximately 10 years ago, without any issues.


   
ReplyQuote
 Klug
(@klug)
Joined: 13 years ago
Posts: 65
 

OK, so we just learnt you're using SSO.
While you said the passwords were updated in Outlook (thus, no SSO).

Are you sure you setup Carbonio auth the same way you did with Zimbra (fallback, etc)?
There are too many information lacking on your setup to help you.


   
ReplyQuote
 puvi
(@puvi)
Joined: 9 months ago
Posts: 26
Topic starter  

I understood from your point of view. Yes, there are no issues with LDAP authentication. We don't have any issues with other carbonio users which I clearly mentioned, meaning there are no issues LDAP authentication. I told you that some carbonio user's emails are configured in the Microsoft Outlook where the current passwords were updated correctly. In MS outlook, you cannot updated the passswords automatically right.


   
ReplyQuote