Hello Zextras Team,
Is there any way that I can get the device details (PC/Laptop MAC-Address) on which zextras user is logged in currently? I know the logs available in /opt/zextras/logs/audit.log however this audit/access logs gives me only public IP of my ISP, not the PC details(like local IP or MAC) of zextras user logged-in.
Hello Team,
We kindly request that this issue be reviewed again, as we urgently require a workaround.
To provide a brief overview of the issue, we created a new email address under the Carbonio mail server, which was successfully configured on Outlook for a user. However, the problem arises when the user changes their email password. After updating the password in Outlook (the mail client), the account gets locked out in a short span of time. Interestingly, the issue resolves when the user reverts to the old password.
Initially, we suspected the issue was caused by Outlook, so we deleted the email profile and even formatted the PC, but the problem persists. As a temporary measure, we have advised affected users not to change their passwords.
Upon reviewing the audit logs, we observed that the lockout appears to be triggered by Microsoft Office 365, although the user's email account has not been configured in any Microsoft services. This issue affects all users whose email accounts are set up in Outlook
2024-09-12 21:42:41,774 WARN [ImapServer-78] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3019;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:43:28,267 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3021;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:44:09,629 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3023;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:44:51,162 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3025;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:45:32,792 WARN [ImapServer-80] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3027;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
2024-09-12 21:46:14,474 WARN [ImapServer-78] [ip=XXX.XXX.XXX.XXX;oip=40.99.78.85;via=Microsoft Office 365/15.20.7962.17,XXX.XXX.XXX.XXX(nginx/1.20.2);ua=Zimbra/24.1.0_ZEXTRAS_202401;cid=3028;] security - cmd=Auth; account=jjoromo@azpired.net; protocol=imap; error=authentication failed for [jjoromo@azpired.net], account lockout;
Microsoft Office 365 appears because the user has the O365 version of Outlook. It has nothing to do with O365 as SaaS.
Are you sure the password was correctly updated in Outlook (both IMAP and SMTP)?
The passwords have been successfully updated, and this issue is occurring across most email accounts configured in Outlook.
I can confirm that the passwords were correctly updated, as I verified users were able to log in via webmail before they entered their updated credentials in Outlook.
As I said, did you check the all the accounts (IMAP and SMTP and maybe CalDAV) were updated in Outlook?
Are you sure your users do not have some phone connected to their account too?
The log extract show "account locked", this is after the password issue.
You should look at the logs at the time the lockout happens to find out what is causing the lockout (IMAP or SMTP or something else).
Also, you should upgrade your Carbonio server, it's not up to date.
First, I would like to thank you for your prompt response. We have confirmed that no phones or laptops are connected to their accounts, as we have restricted email server access from outside the office premises for the users experiencing these issues.
The immediate logs indicate that the lockouts are occurring due to incorrect passwords.
I will proceed with upgrading our Carbonio Clusters and check if this resolves the issue. If not, I will follow up here. Thank you.
You have a "cluster"?
Do you have several LDAP servers? If yes, have you checked they are correctly synced together?